If you can get over your sputtering moral outrage, you might try looking up things like XSS attacks and how Content-Security-Policy can mitigate it. XSS can have vectors that are more subtle than just raw-echoing back an input field, and CSP is a set of guard rails that can mitigate any potential damage it can do.
Well I guess it can serve some corporate use cases were most people don't have the skills to identify issues and prefer to have a policy to just blanket ban all.
It's a habit in certain large companies to just ban any tool which might potentially be misused.
I see the utility but it's disappointing. I hope they don't force it on everyone because the risk vs solution tradeoff is not relevant to most entities who use it.
It's not a global browser policy setting, it's something the serving website enables on a per-page basis. HN serves a (somewhat lax) CSP header itself.
