CSP: style-src-elem
The HTTP Content-Security-Policy (CSP) style-src-elem directive specifies valid sources for stylesheet <style> elements and <link> elements with rel="stylesheet".
The directive does not set valid sources for inline style attributes; these are set using style-src-attr (and valid sources for all styles may be set with style-src).
| CSP version | 3 |
|---|---|
| Directive type | Fetch directive |
default-src fallback |
Yes.
If this directive is absent, the user agent will look for the |
Syntax
Content-Security-Policy: style-src-elem 'none';
Content-Security-Policy: style-src-elem <source-expression-list>;
This directive may have one of the following values:
'none'-
No resources of this type may be loaded. The single quotes are mandatory.
<source-expression-list>-
A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions.
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in CSP Source Values.
style-src-elem can be used in conjunction with style-src:
Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-elem <source>;
Examples
Violation cases
Given this CSP header:
Content-Security-Policy: style-src-elem https://example.com/
…the following stylesheets are blocked and won't load:
<link href="https://not-example.com/styles/main.css" rel="stylesheet" />
<style>
#inline-style {
background: red;
}
</style>
<style>
@import url("https://not-example.com/styles/print.css") print;
</style>
…as well as styles loaded using the Link header:
Link: <https://not-example.com/styles/stylesheet.css>;rel=stylesheet
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # directive-style-src-elem |
Browser compatibility
BCD tables only load in the browser