script-src-elem / script-src-attr
Once event handlers have been migrated to addEventListener, script-src-attr 'none' locks them down completely. Any remaining inline handler — including ones injected by third-party scripts — is blocked.
Response header
Content-Security-Policy: script-src-elem 'self' 'nonce-TP9nlDh7xXA5swe0Q4hTOA=='; script-src-attr 'none'Inline event handler in page source
<button onclick="markScriptRan()">Click me</button>
Result — click the button
( ._.)
Check the browser console to see the CSP violation error.