CSP: style-src-elem
The HTTP Content-Security-Policy
(CSP) style-src-elem
directive specifies valid sources for stylesheet <style>
elements and <link>
elements with rel="stylesheet"
.
The directive does not set valid sources for inline style attributes; these are set using style-src-attr
(and valid sources for all styles may be set with style-src
).
CSP version | 3 |
---|---|
Directive type | Fetch directive |
default-src fallback |
Yes.
If this directive is absent, the user agent will look for the |
Syntax
Content-Security-Policy: style-src-elem 'none';
Content-Security-Policy: style-src-elem <source-expression-list>;
This directive may have one of the following values:
'none'
-
No resources of this type may be loaded. The single quotes are mandatory.
<source-expression-list>
-
A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions. For this directive, the same source expression values are applicable as for
style-src
, with the exception of'unsafe-hashes'
.
style-src-elem
can be used in conjunction with style-src
:
Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-elem <source>;
Examples
Violation cases
Given this CSP header:
Content-Security-Policy: style-src-elem https://example.com/
…the following stylesheets are blocked and won't load:
<link href="https://not-example.com/styles/main.css" rel="stylesheet" />
<style>
#inline-style {
background: red;
}
</style>
<style>
@import url("https://not-example.com/styles/print.css") print;
</style>
…as well as styles loaded using the Link
header:
Link: <https://not-example.com/styles/stylesheet.css>;rel=stylesheet
Specifications
Specification |
---|
Content Security Policy Level 3 # directive-style-src-elem |
Browser compatibility
BCD tables only load in the browser