Wise words from Google.

If an attacker successfully injects any code at all, it’s pretty much game over.


Source

Google - Content Security Policy