script-src-attr directive specifies valid sources for
onclick, but not URLs loaded directly into
|Directive type||Fetch directive|
||Yes. If this directive is absent, the user agent will look for
One or more sources can be allowed for the
Content-Security-Policy: script-src-attr <source>; Content-Security-Policy: script-src-attr <source> <source>;
script-src-attr can be used in conjunction with
Content-Security-Policy: script-src <source>; Content-Security-Policy: script-src-attr <source>;
'*'), and you may use a wildcard (again,
'*') as the port number, indicating that all legal ports are valid for the source.
http://*.example.com: Matches all attempts to load from any subdomain of example.com using the
mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
https://store.example.com: Matches all attempts to access store.example.com using
*.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol.
https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
data:URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
mediastream:URIs to be used as a content source.
blob:URIs to be used as a content source.
filesystem:URIs to be used as a content source.
filesystemfrom source directives. Sites needing to allow these content types can specify them using the Data attribute.
eval()and similar methods for creating code from strings. You must include the single quotes.
'unsafe-inline'which could still be set for older browsers without nonce support.
Note: The CSP
nonce source can only be applied to nonceable elements (e.g. as the
<img> element has no
nonce attribute, there is no way to associate it with this CSP source).
script-srcfor external scripts.
strict-dynamicsource expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as
'unsafe-inline'are ignored. See script-src for an example.
- Requires a sample of the violating code to be included in the violation report.
|Content Security Policy Level 3
The definition of 'script-src-attr' in that specification.
|Working Draft||Initial definition.|
BCD tables only load in the browser