3.4.3.2 Types of CSP Violations

Learn about types of CSP violations.

CSP violations types for 'unsafe-inline' include:

  1. Inline Script Tag: Occurs when an inline <script> tag does not have a valid nonce. 

    <script>
    console.log('This script will be blocked by CSP because it lacks the correct nonce.');
</script>

  2. 1. Inline Style Attribute: Happens when the style attribute is used directly on an HTML element. 

    <!-- This inline style will be blocked by CSP -->
<span style="color: blue;">Text</span>

  3. Inline Style Tag: Similar to script violations but related to <style> tags or inline styles. 

    <!-- Blocked if no valid nonce is provided -->
<style>
  body { background-color: red; }
</style>

  4. Inline JavaScript Attribute: Triggered when inline JavaScript is used in HTML attributes such as onclick, onmouseover, and so on. 

    <!-- This will be blocked by CSP -->
<button onclick="alert('Clicked!')">Click Me</button>

  5. External Resource Violation: Blocked when a resource (for example, script, style) is loaded from a source not allowed in the CSP header. 

    <!-- Blocked if cdn.example.com is not in the script-src directive -->
<script src="https://cdn.example.com/library.js"></script>

Parent topic: Configuring Content Security Policy (CSP)