As typical XSS attacks inject JavaScript into a web page, CSP ignores inline JavaScript — ie JavaScript embedded in HTML code. In addition, CSP only loads web page external assets from a set of whitelisted sites, said Twitter.[zdnet.com]