content security policy – What do I risk if I use CSP header style-src-attr ‘unsafe-hashes’


I’m wondering if I’m risking anything if I use

style-src-attr 'unsafe-hashes' <hash>

in my CSP header.

I need to allow an external script to run, and it uses the style attribute on some elements.

I have no control over the external script, and if there is a malicious person behind it, what might an attack vector be? (considering unsafe-inline has not been added)

How can a style attribute execute scripts or access my DOM or otherwise cause anything harmful to happen?