Script-Src-Elem missing from CSP directives

[crustamet]

Hello i was looking into this CSP feature more and more and i found out that codeigniter does not have this option inside the CSP file & config, can we get this into the master also please ?

https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/HTTP/ContentSecurityPolicy.php#L701

just missing style-src-elem and in the App/config/CSP

[kenjis]

CSP3 directives are not implemented in CI4.
Ref https://forum.codeigniter.com/showthread.php?tid=88753

[crustamet]

No one is working on this, as these headers are miracles for the security and for the future of web development.

I know that these new directives CSP3 are hard to understand for most of the people :)
I have tried to implement this with raw PHP on a demo site, it is just crazy :)
When adding a domain to the CSP allowing it with script-src-elem they need more directives to allow only certain stuff i guess that is why it is called Content Security Policy Level 3 because it has 3 levels of allowances or something.

So for me this CSP3 is out of my understanding...
As i posted this "issue" in 2023, even now in 2025 still this CSP3 is not supported on all browsers.
so from 2023 this directive "script-src-elem" is changed to "script-src-attr-elem" what is that all about ?

Eighter way is worth having it implemented ? I guess not.. Until it will be fully supported across most of the browsers.