Skip to content

Fix CSP Style-Src Violations for Blocked CSS

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix CSP Style. We cover key concepts, practical examples, and best practices.

External stylesheets from CDNs, Google Fonts CSS files, and inline style attributes are blocked when style-src is too restrictive. The page renders without styles, appearing broken. Every external stylesheet domain and inline style source must be explicitly allowed.

Wrong

The CSP only allows styles from the same origin.

Content-Security-Policy: style-src 'self'
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://cdn.example.com/theme.css">
<div style="color: red">This text is red</div>
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto'
because it violates the following Content Security Policy directive:
"style-src 'self'".

Refused to load the stylesheet 'https://cdn.example.com/theme.css' because it
violates the following Content Security Policy directive: "style-src 'self'".

Refused to apply inline style because it violates the following Content Security
Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword,
a hash ('sha256-...'), or a nonce ('nonce-...') is required for inline execution.

Add each external domain and use 'unsafe-inline' only if necessary for inline styles.

Content-Security-Policy: style-src 'self' https://fonts.googleapis.com https://cdn.example.com 'unsafe-inline'
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://cdn.example.com/theme.css">
<div style="color: red">This text is red</div>

For applications that can avoid inline styles, use a nonce instead:

<link rel="stylesheet" href="https://cdn.example.com/theme.css" nonce="abc123">
<style nonce="abc123">
  .highlight { color: red; }
</style>
Content-Security-Policy: style-src 'self' https://fonts.googleapis.com 'nonce-abc123'

The 'unsafe-inline' keyword in style-src is less dangerous than in script-src because inline styles cannot execute arbitrary code, but nonce-based styles are still preferred for strict CSP.

Prevention

  • Specify exact external stylesheet domains in style-src for each CDN or font service.
  • Use 'unsafe-inline' for inline styles only when migrating to nonce-based style CSP.
  • For static inline styles, consider moving them to external stylesheets to avoid 'unsafe-inline'.
  • Google Fonts requires both style-src https://fonts.googleapis.com and font-src https://fonts.gstatic.com.
  • Use 'sha256-...' hashes for individual inline style blocks that do not change.
  • Test the CSP in report-only mode before enforcing it to catch blocked styles.

DodaTech Tools

Doda Browser highlights all blocked stylesheets in the developer tools panel with the exact directive that blocked them. DodaZIP's web page audit tool captures pre- and post-CSP screenshots to verify visual regression. Durga Antivirus Pro's web interface uses a strict style-src with nonces for its admin dashboard.

FAQ

### Is unsafe-inline safe for style-src?

'unsafe-inline' in style-src is less dangerous than in script-src because CSS cannot execute arbitrary code or access sensitive data. However, it does allow style injection attacks that could be used for data exfiltration via CSS selectors. Nonce-based styles are more secure and recommended for sensitive applications.

Why does Google Fonts need both style-src and font-src?

Google Fonts serves its CSS from fonts.googleapis.com and the actual font files from fonts.gstatic.com. The CSS file references the font files on a different domain. You must allow both: style-src https://fonts.googleapis.com and font-src https://fonts.gstatic.com for fonts to render correctly.

How do I handle CSS-in-JS libraries with CSP?

CSS-in-JS libraries like styled-components inject inline styles at runtime. You need 'unsafe-inline' in style-src for these to work, or use a nonce-based approach where the library supports it. Some libraries offer a nonce configuration option for CSP compatibility.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro