<p>Using content security policy without style-src 'unsafe-inline' how do you allow styles like this?</p> <p></p> <div class="snippet" data-lang="js" data-hide="false"> <div class="snippet-code"> <pre class="prettyprint snippet-code-html lang-html prettyprint-override"><code><span style="font-size: 16px;">Hello</span></code></pre> </div> </div> <p>I've tried adding a nonce to them and adding that nonce to the CSP header but that doesn't seem to work</p> <p></p> <div class="snippet" data-lang="js" data-hide="false"> <div class="snippet-code"> <pre class="prettyprint snippet-code-html lang-html prettyprint-override"><code><span style="font-size: 16px;" nonce="0611873de7e2db5985c289fdfa946caee2ae1860">Hello</span></code></pre> </div> </div> <p></p> <div class="snippet" data-lang="js" data-hide="false"> <div class="snippet-code"> <pre class="prettyprint snippet-code-html lang-html prettyprint-override"><code>"style-src 'nonce-0611873de7e2db5985c289fdfa946caee2ae1860' 'self'"</code></pre> </div> </div> <p>Is there any way to do this without adding the 'unsafe-inline' directive??</p>

Content Security Policy allow inline style without unsafe-inline

Using content security policy without style-src 'unsafe-inline' how do you allow styles like this?

<span style="font-size: 16px;">Hello</span>

I've tried adding a nonce to them and adding that nonce to the CSP header but that doesn't seem to work

<span style="font-size: 16px;" nonce="0611873de7e2db5985c289fdfa946caee2ae1860">Hello</span>

"style-src 'nonce-0611873de7e2db5985c289fdfa946caee2ae1860' 'self'"

Is there any way to do this without adding the 'unsafe-inline' directive??

452

asked Oct 06 '15 18:10

According to https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c35 nonces for style attributes isn't supported

108

answered Oct 14 '22 10:10

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!