CSP doesn't help unless you can apply a strict policy to every page of your site. If a single page has an XSS, that gives js execution to the attacking code, which can then steal cookies, forge requests, exfiltrate localstorage, etc.
With multiple domains, you at least can limit the blast radius of an XSS; on the same domain, most protections can be circumvented. E.g. there's no cors protection, so if different apps use different implementations of csrf, just fetch a the other app's page over XHR and parse out it's csrf token; it's probably their or in a cookie which you should be able to read.
With multiple domains, you at least can limit the blast radius of an XSS; on the same domain, most protections can be circumvented. E.g. there's no cors protection, so if different apps use different implementations of csrf, just fetch a the other app's page over XHR and parse out it's csrf token; it's probably their or in a cookie which you should be able to read.