script-src-elem
Content-Security-Policy Fetch

Overview

script-src-elem is a granular script directive that applies only to <script> elements (external src loading and inline <script> blocks). It does not govern inline event-handler attributes. When omitted it falls back through script-src → default-src.

Details

CSP3 lets you split script-src into two: script-src-elem governs <script> tags (elements) while script-src-attr governs on* event-handler attributes (e.g., onclick="..."). This split enables precise designs such as 'lock external/inline script loading strictly with a nonce, but control inline handlers with a separate policy.'

Mind the fallback: when script-src-elem is present, it — not script-src — governs <script> elements. So placing a nonce only on script-src while specifying script-src-elem differently can make element-loading behavior deviate from expectations; when using both, be clear about which policy governs each element type.

Syntax

Content-Security-Policy: script-src-elem 'self' 'nonce-r4nd0m' https://cdn.example.com

Notes

Related directives