Hi,

We have encountering a Content Security Policy (CSP) violation in our ASP.NET application related to inline styles being blocked.

The browser console logs this error:
"Refused to apply inline style because it violates the following Content Security Policy directive: 'style-src 'self''."

This occurs when jQuery (v3.7.1.0 and its plugins) or some frontend script attempts to set inline styles dynamically — for example, using .css() or .attr('style', ...).

This occurs when inline <script> tags or jQuery-related dynamic execution (like eval() or Function()) is used.

CSP Header in use:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';

Request for Guidance:

1. What is the best practice in ASP.NET for handling inline style CSP restrictions?
2. Can we dynamically generate a nonce and apply it to inline <style> tags or jQuery-generated styles?
3. Is there a way to rewrite such logic to avoid inline styles and ensure CSP compliance?
4. Should we add a nonce to allow specific inline scripts?
5. Is there a secure way to rewrite or refactor these inline scripts to comply with CSP?
6. Are there existing helper methods/middleware in our stack to automate nonce generation?

Appreciate your input or recommended approach.

Regards,