Background. Cross-site scripting (XSS) has been a significant security risk to web applications for many years. Content Security Policy (CSP) can defend against XSS by limiting what sources a website can load scripts and other types of content from; however, many websites either do not implement it or use it insecurely, partly due to CSP's perceived complexity.

Objectives. This thesis investigates the effectiveness of using browser automation to generate CSP that can mitigate stored and reflected XSS by automating the generation and evaluation of CSP rules with a simple command-line tool. The tool requires only a regular development environment and operates in a non-invasive manner that does not require modifications to website code to be useful.

Methods. Following a Design Science Research methodology, a program, CSPeare, is developed. It uses the Playwright browser automation library and Google's CSP Evaluator library to detect website requirements, generate suitable CSP rules, and provide both feedback on the rules' strength as well as recommendations on how the tested website can be changed to allow for stricter rules. The tool is empirically evaluated using both constructed test sites and real-world websites, analyzing both the effectiveness of the generated CSP as well as whether website functionality is preserved. 

Results. The tool successfully generated CSP mitigating reflected and stored XSS in a number of websites without breaking website functionality, providing relevant recommendations where applicable. However, the findings also reveal trade-offs between security and usability in cases where inline scripts and dynamic content prevent effective CSP.

Conclusions. The study provides empirical insights into automated CSP generation. CSPeare shows that browser automation can effectively aid in the creation of CSP rules, lowering the barrier to adoption of CSP, although its non-invasive approach limits what it can do and precludes the use of strict CSP. Future work could explore more complex scenarios, such as interactive web applications, combining CSPeare's approach with more invasive methods to make more restrictive rules possible, and cover more types of XSS.