I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP. to the following value:

default-src 'self';
object-src 'none';
frame-src 'self' *.youtube.com;
style-src 'self' https://ajax.googleapis.com;
script-src 'self' https://ajax.googleapis.com;
report-uri /csp_report

Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers.

Refused to apply inline style because it violates the following Content 
Security Policy directive: "style-src 'self' https://ajax.googleapis.com".

referring to a line in a script on the current domain, that's trying to insert some HTML containing inline styles. Is there a way to allow scripts that I have whitelisted usin script-src to do this? I'm getting the same error for jquery, hosted on ajax.googleapis.com.

I overlooked 'unsafe-inline'. Resources that I allowed to load can use inline styles by doing this:

style-src 'unsafe-inline'