xxxxxxxxxx
CORS allows a resource server to manage what origins can read its data.
(server -> clients [site])
* set on header of resource responses
CSP prevents a browser site from itself loading (potentially malicious) content.
(client [site] -> servers)
* set on site's initial response headers
They are *different* things.