CSP: style-src-attr

Content-Security-Policy: style-src-attr 'none';
Content-Security-Policy: style-src-attr <source-expression-list>;

This directive may have one of the following values:

'none'

No resources of this type may be loaded. The single quotes are mandatory.

<source-expression-list>

A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions.

Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in CSP Source Values.

style-src-attr can be used in conjunction with style-src:

Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-attr <source>;

Given this CSP header:

Content-Security-Policy: style-src-attr 'none'

…the inline style applied to the element below will not be applied:

<div style="display:none">Foo</div>

The policy would also block any styles applied in JavaScript by setting the style attribute directly, or by setting cssText:

document.querySelector("div").setAttribute("style", "display:none;");
document.querySelector("div").style.cssText = "display:none;";

Style properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript:

document.querySelector("div").style.display = "none";

Note that using JavaScript might independently be blocked using the script-src CSP directive.

• Content-Security-Policy
• style-src
• style-src-elem
• Link header
• <style>, <link>
• @import
• CSSStyleSheet.insertRule()
• CSSGroupingRule.insertRule()
• CSSStyleDeclaration.cssText