CSP: style-src unsafe-inline
Risk Level: Medium
Confidence: 3
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE ID: 693
WASC ID: 15
Example Instance
URL: https://localhost:44340
Method: GET
Parameter: Content-Security-Policy
Evidence:
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'
Other Info: style-src includes unsafe-inline.
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-04
Plugin ID: 10055
Scan Metadata
- Branch:
main
- Template Source: Local Repository Code
- Clean Template Version: 7.0.1
- Umbraco CMS Version: 17.0.0
CSP: style-src unsafe-inline
Risk Level: Medium
Confidence: 3
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE ID: 693
WASC ID: 15
Example Instance
URL:
https://localhost:44340Method: GET
Parameter:
Content-Security-PolicyEvidence:
Other Info: style-src includes unsafe-inline.
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-04
Plugin ID: 10055
Scan Metadata
main