It is a good practice to set a same-origin policy which allows only resources originating from the current domain to be loaded ("Only load your own content"), and then to whitelist any additional resources which should be allowed. Whitelisting can be done by resource type or origination location.
CSP directives are sent to the browser in the response header. The response header can be configured in the application or as a default in the web server configuration.
Example: CSP directives which whitelist current page, Google APIs, and Facebook Like button.
Content-Security-Policy: default-src: 'self'; script-src: 'self' https://apis.google.com; child-src: https://facebook.com