Cross-site scripting attacks are a major threat to web applications. Such attacks are used to inject undesirable content into web pages. The Content Security Policy is an approach to mitigate content injection and secure websites. The security mechanism is added to the HTTP header and prohibits the execution of inline scripts, whitelists resources and bans dangerous JavaScript functions. CSP is a client side protection and is enforced by the browser. The real-world adoption of the Content Security Policy is investigated due to the promising protection of CSP against cross-site scripting, having an adoption rate of 2.5% for the one million most popular sites in 2018. Unfortunately, the effort to make websites CSP compatible is high and results in a trade-off between security and functionality. Additionally, the security of CSP against content injection cannot keep its promises. In literature 94.72% of all investigated real-world policies are bypassed due to unsafe endpoints in the whitelist and other vulnerabilities. Finally, these numbers require changes in the use and concept of CSP.