I’m using a content-security-policy that disallows inline-styles. As the mdn article says, it will allow js to set domElement.style.attribute = x, but disallows setAttribute('style', string'). It seems like there are a couple of cases where prosemirror-menu tries to do that (e.g. here)
I feel like this might be an edge case and as I look through the code I don’t see an obvious way to modify it but I think I can work around.