Problem
The SecurityHeadersMiddleware replaces 'unsafe-inline' with a per-request nonce in style-src:
csp_str = _STYLE_SRC_UNSAFE_INLINE.sub(rf"\1'nonce-{nonce}'", self.csp_value)CSP nonces only cover <style> elements — they do not cover inline style="" attributes on HTML elements. When 'unsafe-inline' is replaced with a nonce, all elements with style="" attributes trigger CSP violations.
Impact
Any Skrift app using csp_nonce: true (the default) with 'unsafe-inline' in style-src will have all inline style attributes blocked. This breaks legitimate template rendering that uses inline styles.
Suggested Fix
Stop replacing 'unsafe-inline' in style-src. Only inject nonces into script-src. CSS cannot execute JavaScript, so nonces for styles provide minimal security benefit while breaking inline style attributes.
Alternatively, use the style-src-attr 'unsafe-inline' directive alongside style-src-elem with nonces, but browser support is more limited.
Problem
The
SecurityHeadersMiddlewarereplaces'unsafe-inline'with a per-request nonce instyle-src:CSP nonces only cover
<style>elements — they do not cover inlinestyle=""attributes on HTML elements. When'unsafe-inline'is replaced with a nonce, all elements withstyle=""attributes trigger CSP violations.Impact
Any Skrift app using
csp_nonce: true(the default) with'unsafe-inline'instyle-srcwill have all inline style attributes blocked. This breaks legitimate template rendering that uses inline styles.Suggested Fix
Stop replacing
'unsafe-inline'instyle-src. Only inject nonces intoscript-src. CSS cannot execute JavaScript, so nonces for styles provide minimal security benefit while breaking inline style attributes.Alternatively, use the
style-src-attr 'unsafe-inline'directive alongsidestyle-src-elemwith nonces, but browser support is more limited.