'unsafe-inline' in style-src directive capping score to A when it should probably not

[joelbourbon]

Hi,

I recently reworked my CSP rules to try and get an A+ using your tooling.
I adjusted my CSP rules using the Google Tooling --> https://csp-evaluator.withgoogle.com/

According to their evaluation, having 'unsafe-inline' in style-src directive is not an issue.

Would me nice to have both your tools agree on the severity of this ;)

Thanks,

[ScottHelme]

I’m still considering removing the unsafe-inline cap for style-src, there have been other developments in this space too.

[Seirdy]

@ScottHelme I disagree that unsafe-inline styles should allow an A+. The point of a "+" should be distinguishing sites that go beyond basic expectations (i.e. getting an "A").

I like the idea of "one grade that shows every security header is set with maximum protections". I wouldn't want to lose that. Perhaps there should be an "A++" grade that forbids unsafe directives and requires other headers (COEP, COOP, etc).