XXS and Content Security Policy (CSP)

Hi everyone,
As introduction here, https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet

Content Security Policy (CSP) is an effective “defense in depth” technique to be used against content injection attacks. It is a declarative policy that informs the user agent what are valid sources to load from.

Well, if I have a CSP of this type:

Content-Security-Policy: script-src ‘self’ https://apis.google.com

In this case, e.g. I take ‘self’ as ‘abc.com

If I have and XSS of this type:

It will be ‘refused’ to execute by CSP.

But, what if the XSS is persistent?, and it will be served from the ‘self’, I don’t think CSP will ‘refuse to execute’ it in anyway.

Is my thinking right?, please help me clarify this, thank you all.

Well, seems the filter has filtered my XSS code :disappointed_relieved:

should be markdown mate three of these at the beginning ``` and end