Fix CSP Style-Src Violations for Blocked CSS
In this tutorial, you'll learn about Fix CSP Style. We cover key concepts, practical examples, and best practices.
External stylesheets from CDNs, Google Fonts CSS files, and inline style attributes are blocked when style-src is too restrictive. The page renders without styles, appearing broken. Every external stylesheet domain and inline style source must be explicitly allowed.
Wrong
The CSP only allows styles from the same origin.
Content-Security-Policy: style-src 'self'
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://cdn.example.com/theme.css">
<div style="color: red">This text is red</div>
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto'
because it violates the following Content Security Policy directive:
"style-src 'self'".
Refused to load the stylesheet 'https://cdn.example.com/theme.css' because it
violates the following Content Security Policy directive: "style-src 'self'".
Refused to apply inline style because it violates the following Content Security
Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword,
a hash ('sha256-...'), or a nonce ('nonce-...') is required for inline execution.
Right
Add each external domain and use 'unsafe-inline' only if necessary for inline styles.
Content-Security-Policy: style-src 'self' https://fonts.googleapis.com https://cdn.example.com 'unsafe-inline'
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://cdn.example.com/theme.css">
<div style="color: red">This text is red</div>
For applications that can avoid inline styles, use a nonce instead:
<link rel="stylesheet" href="https://cdn.example.com/theme.css" nonce="abc123">
<style nonce="abc123">
.highlight { color: red; }
</style>
Content-Security-Policy: style-src 'self' https://fonts.googleapis.com 'nonce-abc123'
The 'unsafe-inline' keyword in style-src is less dangerous than in script-src because inline styles cannot execute arbitrary code, but nonce-based styles are still preferred for strict CSP.
Prevention
- Specify exact external stylesheet domains in
style-srcfor each CDN or font service. - Use
'unsafe-inline'for inline styles only when migrating to nonce-based style CSP. - For static inline styles, consider moving them to external stylesheets to avoid
'unsafe-inline'. - Google Fonts requires both
style-src https://fonts.googleapis.comandfont-src https://fonts.gstatic.com. - Use
'sha256-...'hashes for individual inline style blocks that do not change. - Test the CSP in report-only mode before enforcing it to catch blocked styles.
DodaTech Tools
Doda Browser highlights all blocked stylesheets in the developer tools panel with the exact directive that blocked them. DodaZIP's web page audit tool captures pre- and post-CSP screenshots to verify visual regression. Durga Antivirus Pro's web interface uses a strict style-src with nonces for its admin dashboard.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro