Content-Security-Policy: script-src-attr directive

Baseline 2022
Newly available

Since December 2022, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

The HTTP Content-Security-Policy (CSP) script-src-attr directive specifies valid sources for JavaScript inline event handlers.

This directive only specifies valid sources for inline script event handlers like onclick. It does not apply to other JavaScript sources that can trigger script execution, such as URLs loaded directly into