javascript – Example of script-src-attr that is not already handled by script-src-elem

Content-Security-Policy: script-src-attr 'none'; script-src-elem 'unsafe-inline';

will allow inline scripts like <script> alert('I am inline') </script> but disallow event handlers in tags like onclick="alert('I am onclick')" and javascript-navigation <a href="'...')".

It’s much safer than script-src 'unsafe-inline'; because about 90% XSS are based on badly sanitized user input lead to skip event handlers in tags, for example <img src=/ onerror="alert(String.fromCharCode(88,83,83))"></img>.


Content-Security-Policy: script-src-attr 'unsafe-inline'; script-src-elem 'nonce-ebf34fd3';

will disallow inline scripts <script> ... </script> without nonce='ebf34fd3' attribute, but will allow inline event handlers and javascript-navigations.

This is suitable to craft more safe CSP for old sites with a lot of built-in event handlers.

Please note that as for now only Chrome supports script-src-attr / script-src-elem directives. Chromium-based Edge should support these, too.