script-src-attr
script-src-attr
script-src-attr
The script-src-attr directive specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements.
Recommended Values
'none'
Blocks all inline scripts (recommended)
Blocks all inline scripts (recommended)
'sha256-<hash>'
Allows inline event handlers that match a specific hash
Allows inline event handlers that match a specific hash
'report-sample'
Includes samples of blocked scripts in violation reports to help with debugging
Includes samples of blocked scripts in violation reports to help with debugging
Explore detailed value definitions
Tips & Tricks
Do not use event handlers like 'onclick' in the tag. Favor the use of line like 'document.getElementById('btn').addEventListener('click', doSomething)' instead.
Using 'unsafe-hashes' with this directive can be risky. Consider using hashes instead.
This directive is more specific than script-src and only applies to inline event handlers.
Available Values
'none'
Blocks all inline styles (recommended)
Blocks all inline styles (recommended)
'sha256-<hash>'
Allows inline event handlers that match a specific hash
Allows inline event handlers that match a specific hash
'report-sample'
Includes samples of blocked scripts in violation reports to help with debugging
Includes samples of blocked scripts in violation reports to help with debugging
'unsafe-inline'
Allows all inline event handlers (not recommended)
Allows all inline event handlers (not recommended)
'unsafe-hashes'
Allows event handlers that match hash (use with caution)
Allows event handlers that match hash (use with caution)
Examples
Allows inline event handlers from the same origin
Content-Security-Policy: script-src-attr 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=';Allowed
<!-- allowed by 'sha256-xsuTGwM1pbHxJt6Bcu7KLls/Z+Q7K2yHs6kiFf8OBkA=' --> <button onclick="alert('Hello')">Click me</button>Blocked
<!-- blocked as the hash of the script is not in the directive --> <button onclick="alert('An other text')">Click me</button>
Frequently Asked Questions
What is the script-src-attr directive used for?
The script-src-attr directive specifically controls JavaScript event handlers added as HTML attributes (like onclick, onload, etc). It provides more granular control than script-src by focusing only on inline script attributes.
Security Note
Using 'unsafe-hashes' with script-src-attr still poses security risks. Consider refactoring inline event handlers to use addEventListener() instead.
How does script-src-attr differ from script-src?
While script-src controls all JavaScript sources, script-src-attr only governs event handler attributes in HTML elements. If script-src-attr is not set, the browser falls back to script-src. This allows for more precise control over different types of JavaScript execution contexts.
Usage Example
script-src-attr 'none' completely blocks inline event handlers like <button onclick='...'>, while still allowing other scripts controlled by script-src.
What are the recommended values for script-src-attr?
The most secure approach is to use 'none' to completely block inline event handlers and move all event handling to separate JavaScript files. If inline handlers are necessary, use 'unsafe-hashes' with specific hashes of allowed handlers, but be aware of the security implications.
Best Practice
Modern web development best practices favor using addEventListener() over inline event handlers, making 'none' the ideal value for script-src-attr.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now