style-src-elem
Thestyle-src-elem
directive controls <style>
elements and <link>
elements with rel="stylesheet"
in your web application. This directive provides granular control over style elements, allowing you to enforce stricter security policies for style elements independently of other style sources.
Recommended Values
'self' Allows the resource to be loaded and executed
'sha256-<hash>' Allows the resource to be loaded and executed
'nonce-<random>' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended style-src-elem configuration (most secure)
Content-Security-Policy: style-src-elem 'self';
Relationship with style-src
Thestyle-src-elem
directive specifically controls <style>
elements and stylesheet links, while the style-src
directive is a fallback that controls all style sources. When style-src-elem
is not specified:
- The browser falls back to the
style-src
directive - If
style-src
is also not specified, it falls back todefault-src
Tips & Tricks
Using 'self' restricts stylesheets to the same origin, which is a good security baseline.
For third-party stylesheets, explicitly whitelist their domains instead of using broad permissions.
The 'unsafe-inline' keyword allows all <style> elements, which can be dangerous and should be avoided.
Consider using nonces or hashes if you must include inline <style> elements.
Possible Values
'none'
: No style elements or stylesheets are allowed'self'
: Allow style elements and stylesheets from the same origin'report-sample'
: Includes a sample of the violating code in violation reports- Nonces:
'nonce-<random>'
for specific style elements - Hashes:
'sha256-<hash>'
for specific style elements - URLs: Specific domains or paths for stylesheets
- ⚠️
'unsafe-inline'
: Allows all style elements (insecure)
Scan Your Website Now
Instantly analyze your website's Content Security Policy. Get actionable insights and improve your security posture in minutes.
Scan Your Website
Enter your website URL to analyze its Content Security Policy configuration.
Get started now by providing your website URL and launch the scan!
Example Configurations
Example policy with nonce and domain whitelist
CSP Header with nonce and allowed domain
Content-Security-Policy: style-src-elem 'self' 'nonce-random123' https://cdn.example.com;
Allowed
<!-- allowed as it has the correct nonce -->
<style nonce="random123">
body { background: #fff; }
</style>
<!-- allowed as it's from the same origin -->
<link rel="stylesheet" href="/styles/main.css">
<!-- allowed as it's from whitelisted domain -->
<link rel="stylesheet" href="https://cdn.example.com/styles.css">
Blocked
<!-- blocked as it has no nonce -->
<style>
body { color: red; }
</style>
<!-- blocked as it's from non-whitelisted domain -->
<link rel="stylesheet" href="https://unauthorized-cdn.com/styles.css">
<!-- blocked as it has wrong nonce -->
<style nonce="wrong">
p { font-size: 16px; }
</style>
Additional Information
- The
style-src-elem
directive is part of CSP Level 3 - It provides more granular control over style elements compared to
style-src
- This directive helps prevent injection of malicious styles through
<style>
elements - Consider using external stylesheets with integrity hashes for third-party resources
Related Resources
External Articles
- MDN Web Docs: style-src-elem
- OWASP: Content Security Policy Cheat Sheet
- Google Web Fundamentals: Content Security Policy