script-src-attrscript-src-attr is a granular directive that controls only JavaScript execution in inline event-handler attributes (on* attributes like onclick, onload). It does not govern <script> elements. When omitted it falls back through script-src → default-src.
Inline event handlers are a classic XSS injection point. Setting script-src-attr 'none' entirely blocks JavaScript embedded in HTML attributes (e.g., <img onerror="payload">), sharply reducing markup-injection attacks. Conversely, script-src-attr 'unsafe-inline' permits such handlers and is dangerous.
This directive is especially useful when legacy code depends on inline handlers. The ideal combination opens script file loading (script-src-elem) strictly via nonce while blocking inline handlers with 'none'. If existing code uses many onclick attributes, migrate them to addEventListener before applying this, or functionality will break.
Content-Security-Policy: script-src-attr 'none'