On Cross-Site Scripting and Content Security Policy