unsafe-inlineSource List Keyword
unsafe-inlineContent Security Policy (CSP) keyword allows the execution of inline scripts or styles.
Except for one very specific case, you should avoid using the
unsafe-inline keyword in your CSP policy. As you might guess it is generally unsafe to use
unsafe-inline keyword annuls most of the security benefits that
It is only ok to use
unsafe-inline when it is combined with the
strict-dynamic directive. On browsers that support
strict-dynamic (CSP Level 3+), the
unsafe-inline is ignored, and provides a route to backwards compatibility on browsers that support CSP Level 2 or lower.
In other words, you should only use it if you really know what you are doing!
The most common reason that unsafe inline is not working is that you forgot to wrap it with single quotes. It should be specified as:
unsafe-inline source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).
Internet Explorer 11 and below do not support the
unsafe-inline directive. This means that IE11 will simply ignore the policy and allows the execution of script or css as if no policy existed.