I’m wondering if I’m risking anything if I use
style-src-attr 'unsafe-hashes' <hash>
in my CSP header.
I need to allow an external script to run, and it uses the style attribute on some elements.
I have no control over the external script, and if there is a malicious person behind it, what might an attack vector be? (considering unsafe-inline has not been added)
How can a style attribute execute scripts or access my DOM or otherwise cause anything harmful to happen?