Path: blob/main/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md
6532 views
------{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) style-src-elem directive specifies valid sources for stylesheet {{HTMLElement("style")}} elements and {{HTMLElement("link")}} elements with rel="stylesheet".
The directive does not set valid sources for inline style attributes; these are set using {{CSP("style-src-attr")}} (and valid sources for all styles may be set with {{CSP("style-src")}}).
| CSP version | 3 |
|---|---|
| Directive type | {{Glossary("Fetch directive")}} |
| {{CSP("default-src")}} fallback |
Yes.
If this directive is absent, the user agent will look for the {{CSP("style-src")}} directive, and if both of them are absent, fall back to |
Syntax
One or more sources can be allowed for the style-src-elem policy:
style-src-elem can be used in conjunction with {{CSP("style-src")}}:
Sources
<source> can be any one of the values listed in CSP Source Values.
Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a number of other directives).
Examples
Violation cases
Given this CSP header:
…the following stylesheets are blocked and won't load:
…as well as styles loaded using the {{HTTPHeader("Link")}} header:
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
{{HTTPHeader("Content-Security-Policy")}}
{{CSP("style-src")}}
{{CSP("style-src-attr")}}
{{HTTPHeader("Link")}} header
{{HTMLElement("style")}}, {{HTMLElement("link")}}
{{cssxref("@import")}}
{{domxref("CSSStyleSheet.insertRule()")}}
{{domxref("CSSGroupingRule.insertRule()")}}
{{domxref("CSSStyleDeclaration.cssText")}}