This document discusses defeating cross-site scripting (XSS) attacks through Content Security Policy (CSP). CSP allows website owners to restrict resources the browser is allowed to load, such as scripts, styles, fonts, and frames. To implement CSP, website owners add special HTTP headers that define the policy and restrict what code and resources can be loaded. Preparing a site for CSP involves eliminating inline scripts and styles, removing JavaScript URIs, and adding the CSP headers. CSP is not a replacement for proper cross-site scripting prevention but acts as an additional layer of defense.