I have recently been reading up on Content Security Policy headers and came across this comment about stylesheets:
Note: Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. However, if you absolutely have to use it, there are a few mechanisms that will allow them.
The bit about inline scripts seemed pretty obvious, but I was curious about why inline styles would be considered a bad thing. Eventually I came across this video which provided some good info:
It seems the main things to be concerned about is data exfiltration.