CSP 3 adds two new directives that supersede the style-src directive. These must be honored if present, with a fallback to style-src only if they are not. **style-src-elem** specifically for <style> elements https://w3c.github.io/webappsec-csp/#directive-style-src-elem **style-src-attr** specifically for event handler attributes https://w3c.github.io/webappsec-csp/#directive-style-src-attr The major motivation appears to be to allow inline style attributes (which don't support selectors) without allowing full arbitrary style that can change an entire page.
Bug 1529338 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
CSP 3 adds two new directives that supersede the style-src directive. These must be honored if present, with a fallback to style-src only if they are not. **style-src-elem** specifically for <style> elements https://w3c.github.io/webappsec-csp/#directive-style-src-elem **style-src-attr** specifically for `style=` attributes https://w3c.github.io/webappsec-csp/#directive-style-src-attr The major motivation appears to be to allow inline style attributes (which don't support selectors) without allowing full arbitrary style that can change an entire page.