A Content Security Policy (CSP) [1] allows the prevention of certain XSS, clickjacking, and other code injection attacks. This is achieved by only allowing approved content (such as scripts, styles, frames, fonts, images, etc.) to execute in the browser.
It is recommended to enable the Airlock IAM Content Security Policy. As a defense in depth mechanism, it allows for reducing risks of XSS, clickjacking, and other code injection attacks.
The policy is defined by the server in the Content-Security-Policy header and enforced by the browser. Note that the browser support for CSP varies a lot, and especially older browsers do not support the most recent CSP version or have no CSP support at all, see [4]. To deal with this situation, the CSP provided by Airlock IAM contains potentially redundant policies for multiple versions of the CSP specification.