The CSP standard was supposed to improve the security of websites. But like any standard, it needs to evolve to stay relevant, in the assumptions on how sites are working and in the implementation.
In this talk, we will discuss those gaps, show how the standard can be abused (and is abused), implementation gaps causing it to misbehave in browsers, and bad implementations by website owners who place poor configuration.