I was just running my site against webpagetest.org and started learning about how CSPs protect against XSS. I realize there's a plugin for Moodle that handles this, but I'm wondering is this necessary? Has Moodle already dealt with the XSS threat in it's core or is this plugin recommended?