Which security policy aims to protect against cross-site scripting attacks?

The Content Security Policy (CSP) is designed specifically to mitigate and prevent cross-site scripting (XSS) attacks. It allows web developers to specify which dynamic resources are allowed to load on their web pages. By doing so, CSP helps to ensure that only trusted sources are executed, thus reducing the attack surface available for XSS vulnerabilities. For instance, if a site defines a CSP that only permits scripts from its own domain and a few trusted domains, any attempt by an attacker to inject malicious scripts from an arbitrary domain will be blocked by the browser.

In contrast, other security policies do not specifically address XSS vulnerabilities in the same way. Data Loss Prevention (DLP) focuses on protecting sensitive data from being lost, misused, or accessed by unauthorized users but does not specifically target script injection attacks. Access Control Policy deals with permissions and user access management, while Network Security Policy concerns the overall security measures applied to network communications without specifically addressing web application vulnerabilities like XSS.