style-srcstyle-src controls the sources of stylesheets and inline CSS, governing external <link rel=stylesheet>, <style> blocks, inline style= attributes, and CSSOM APIs like insertRule. When omitted it inherits from default-src.
Like script-src, it supports 'self', host/scheme sources, 'unsafe-inline', 'nonce-...', and 'sha256-...'. CSS may seem less dangerous than scripts, but style injection can exfiltrate data (via CSS selectors and background:url() reading form values) and enable UI-redressing attacks, so 'unsafe-inline' still warrants caution. If you need external styles (e.g., Google Fonts), name the specific host and allow inline styles individually via nonce/hash.
In practice, fully removing inline style= attributes is hard, so many teams keep 'unsafe-inline' on style-src. Locking script-src strictly with nonce/hash alone still contains the bulk of XSS risk. For finer control, split into style-src-elem (stylesheet elements) and style-src-attr (inline style attributes).
Content-Security-Policy: style-src 'self' 'nonce-r4nd0m' https://fonts.googleapis.com