In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy, one of the most misunderstood and arguably, most powerful web mitigation techniques. We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore t