files/en-us/web/http/reference/headers/content-security-policy/style-src-elem/index.md
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) style-src-elem directive specifies valid sources for stylesheet {{HTMLElement("style")}} elements and {{HTMLElement("link")}} elements with rel="stylesheet".
The directive does not set valid sources for inline style attributes; these are set using {{CSP("style-src-attr")}} (and valid sources for all styles may be set with {{CSP("style-src")}}).
<table class="properties"> <tbody> <tr> <th scope="row">CSP version</th> <td>3</td> </tr> <tr> <th scope="row">Directive type</th> <td>{{Glossary("Fetch directive")}}</td> </tr> <tr> <th scope="row">{{CSP("default-src")}} fallback</th> <td> <p> Yes. If this directive is absent, the user agent will look for the {{CSP("style-src")}} directive, and if both of them are absent, fall back to <code>default-src</code> directive. </p> </td> </tr> </tbody> </table>Content-Security-Policy: style-src-elem 'none';
Content-Security-Policy: style-src-elem <source-expression-list>;
This directive may have one of the following values:
'none'
<source-expression-list>
style-src, with the exception of 'unsafe-hashes'.style-src-elem can be used in conjunction with {{CSP("style-src")}}:
Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-elem <source>;
Given this CSP header:
Content-Security-Policy: style-src-elem https://example.com/
…the following stylesheets are blocked and won't load:
<link href="https://not-example.com/styles/main.css" rel="stylesheet" />
<style>
#inline-style {
background: red;
}
</style>
<style>
@import "https://not-example.com/styles/print.css" print;
</style>
…as well as styles loaded using the {{HTTPHeader("Link")}} header:
Link: <https://not-example.com/styles/stylesheet.css>;rel=stylesheet
{{Specifications}}
{{Compat}}