9Eyl
Google CSP Evaluator and style-src ‘unsafe-inline’
Google provides a CSP evaluator to validate if a given content-security policy is well set up (github, validator). However, if one uses 'unsafe-inline' in the style-src directive this is reported as 'all good' (See image below).
Does this not (mostly) defeat the purpose of defining a style source? As far as I understand an attacker would be able to inject CSS. Not as big of an issue as JavaScript execution, but I would not report it with a green checkmark. What am I missing here?
