Content Security Policy (CSP) can be used to effectively prevent certain types of client-side attacks. CSP does allow the owner of a website to control where third-party code can come from, but it does not provide a robust or granular way of handling what that code does once it is executing in the browser. As Magecart-like attacks become more sophisticated, it is essential to address not only what services may interact with your visitor, but what that interaction looks like and how it may be controlled.”]
Source: https://www.darkreading.com/attacks-breaches/why-csp-isn-t-enough-to-stop-magecart-like-attacks