There’s yet another new means to ‘help’ client User-Agents with preventing XSS on your websites.
In it’s simplest form you can simply use the following HTTP Header(s), the second one is for earlier versions of Webkit (Chrome/Safari):
Content-Security-Policy: default-src 'self'
Webkit-CSP: default-src 'self'
You can also add to the above to permit assets to load from other sources.
Content-Security-Policy: default-src 'self'; script-src http://example.com
Additionally, while failures are noted in the client’s browser console (that most users are not aware of), you can have them sent back to your server by adding a ‘report-uri’ attribute with an appropriate handler:
Content-Security-Policy: default-src 'self'; report-uri http://example.com/csp-report.php