script-srcscript-src is the single most important CSP directive for XSS defense, controlling which JavaScript sources a page may execute. It governs external <script src> loading, inline scripts, and eval-family execution. When omitted it inherits from default-src.
Allowed sources combine 'self', host/scheme sources, and special keywords for inline code. 'unsafe-inline' permits all inline <script> blocks and event-handler attributes but effectively disables XSS protection, so avoid it. The modern approach is to allow only trusted inline scripts individually via 'nonce-value' (a random token regenerated per request) or 'sha256-...' hashes. 'unsafe-eval' permits eval, new Function, and setTimeout(string); it widens the attack surface and should be removed where possible.
For large sites, 'strict-dynamic' is recommended: scripts trusted via a nonce or hash are allowed to programmatically inject further scripts, which are then automatically trusted, while host-based allowlists ('self', https://cdn...) are ignored. This defeats allowlist-bypass techniques (open redirects, JSONP endpoints), making nonce + 'strict-dynamic' the robust pattern Google recommends.
Content-Security-Policy: script-src 'self' 'nonce-r4nd0m' 'strict-dynamic'