https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

This can help prevent XSS/click-jacking on forms that are intended to be secure. For example, we can block all scripts from running on the change-password form unless they specifically come from musicbrainz.org or staticbrainz.org. (This header may interfere with userscripts on editing forms, so I'd leave it unset there.)