Most CSPs are too loose to actually prevent XSS. This scores directive quality, nonce/hash coverage, strict-dynamic adoption, and the weaknesses that let XSS slip through.
Read the story behind this tool: Why this tool exists — security stack.
Related: CSP hardening on jwatte.com