Cross Site Scripting, commonly referred to as XSS, is among the most pervasive flaws on the web today.
With an XSS flaw, an attacker is potentially able to inject a script on a site from another domain, without authorization. According to Google engineers, Lukas Weichselbaum and Michele Spagnuolo, XSS is also a big issue for Google, which is why it has invested in efforts to help reduce the risk, with a technology approach known as Content Security Policy (CSP).