script-src-elem / script-src-attr
script-src-elem governs <script> elements and requires a nonce. script-src-attr 'unsafe-inline' governs event handler attributes separately, allowing them without affecting script blocks. This lets you adopt nonces incrementally.
Response header
Content-Security-Policy: script-src-elem 'self' 'nonce-ZPimwEfMuLk45ChZhPt4cg=='; script-src-attr 'unsafe-inline'Inline event handler in page source
<button onclick="markScriptRan()">Click me</button>
Result — click the button
( ._.)