Is unsafe-inline OK for style-src only?

It is less catastrophic than script-src, but inline style can still aid data exfiltration and UI redress. Prefer hashes or refactor CSS.

Does unsafe-eval matter too?

Yes. script-src 'unsafe-eval' allows eval() and similar constructs—another XSS amplifier. Remove it unless a library truly requires it.

`unsafe-inline` (CSP directive)

A CSP keyword that allows all inline scripts or styles — effectively disabling XSS protection.

In script-src, 'unsafe-inline' tells the browser to execute any inline <script> block or event handler–style injections the page contains. In style-src, it permits inline <style> and style attributes. It exists for legacy sites, not as a security control.

Why developers care

Most “we added CSP but nothing works” stories end with 'unsafe-inline' in script-src. That silences violations by letting the attack succeed: reflected or stored XSS runs like normal code. The fix is to remove it, add nonces/hashes for the few inline bits you need, and move the rest to files. Until then your CSP is mostly theater.

Example

# Weak — any injected <script> runs:
Content-Security-Policy: script-src 'self' 'unsafe-inline'

# Stronger — inline only with a matching nonce:
Content-Security-Policy: script-src 'self' 'nonce-abc123'

Spec

CSP3 — 'unsafe-inline'

Tighten CSP with CSPFixer →

unsafe-inline (CSP directive)

Why developers care

Example

Spec

`unsafe-inline` (CSP directive)