One or more sources can be allowed for the script-src-attr policy:

Content-Security-Policy: script-src-attr <source>;
Content-Security-Policy: script-src-attr <source> <source>;

script-src-attr can be used in conjunction with script-src, and will override that directive for checks on inline handlers:

Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src-attr <source>;

<source> can be any one of the values listed in CSP Source Values.

Note that this same set of values can be used in all fetch directives (and a number of other directives).

Given this CSP header:

Content-Security-Policy: script-src-attr 'none'

…the following inline event handler is blocked and won't be loaded or executed:

<button id="btn" onclick="doSomething()"></button>

Note that generally you should replace inline event handlers with addEventListener calls:

document.getElementById("btn").addEventListener("click", doSomething);

• Content-Security-Policy
• <script>
• script-src
• script-src-elem