How does Content Security Policy work?

How does Content Security Policy work?

I’m getting a bunch of errors in the developer console:

Refused to evaluate a string
Refused to execute inline script because it violates the following Content Security Policy directive
Refused to load the script
Refused to load the stylesheet

What’s this all about? How does Content Security Policy work? How do I use the Content-Security-Policy HTTP header?
Specifically, how to…

…allow multiple sources?
…use different directives?
…use multiple directives?
…handle ports?
…handle different protocols?
…allow file:// protocol?
…use inline styles, scripts, and tags

Related:  Early exit from function?