← back to examples

script-src-elem / script-src-attr

Once event handlers have been migrated to addEventListener, script-src-attr 'none' locks them down completely. Any remaining inline handler — including ones injected by third-party scripts — is blocked.

Response header
Content-Security-Policy: script-src-elem 'self' 'nonce-TP9nlDh7xXA5swe0Q4hTOA=='; script-src-attr 'none'
Inline event handler in page source
<button onclick="markScriptRan()">Click me</button>
Result — click the button
( ._.)

Check the browser console to see the CSP violation error.