Error on clicking Register button

That upgrade resolves the problem of the error on clicking the register button.

I regret, though, that the new version requires an ‘unsafe-inline’ value for the content security policy directives style-src-attr and style-src-elem

Something changed between the current version and the previous version such that visitors can no longer register for an event, so I hope you will be able to treat this issue as a bug, not an enhancement.

I know that the issue concerns the content security policies, because everything works fine if I disable them. I also suppose that the issue concerns the two directives mentioned above: style-src-attr and style-src-elem.

Regarding the fact that eme may have been using inline styles previously, let me just say that I have never had any issues with the CSP impacting any EME functionality in previous versions.

Here is what appears on the front end:

The shortcode [eme_events] no longer appears at all. However, if I disable CSP, it appears correctly.

In the browser console, a large number of CSP-related messages appear, such as:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'strict-dynamic' https://ajax.googleapis.com https://checkout.stripe.com http://code.ionicframework.com https://code.ionicframework.com https://fonts.googleapis.com https://mysite.com 'nonce-Q1BTLzOnfLriMOMIMnqmQNhOD0wD0ITxP0xkZq6lXvMduSdUqksEockMlPWdVmIleHs3DeLa01pPTLmBS4KcWjspmQ6oNjapYIy7h9wEEmZKUlZNwDEVVZUrzmsfuf3U'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

I recognize that the problem might well be in my CSP directives, but it would help me enormously if you were able to tell me what changed in the last version such that—all of a sudden—the directives that used to work fine are causing the page to fail. Do you have any intuition about that?

The basic reference for Content Security Policy is at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Policies may be defined either at the web server level, for example, in .htaccess, or in the code that generates web pages. For WordPress sites, this is typically done via a plugin. I am not aware of any themes having CSP functionality.

As an example, the directive style-src determines valid sources for stylesheets. If an attempt to made to load a stylesheet that is not authorized, the web server will refuse to do so and the browser will see the error in its console. In addition, errors can be logged and a report is sent to a definable point so you can see what errors might occur.

Since this can be a complicated business, CSP allows you to either enforce the policies or not and to log and report the errors or not. A typical approach is to log, but not enforce, the policies so you can analyze what is happening and decide what should be allowed; what should be denied. When you are comfortable with the policy configurations, you can then turn on enforcement.

The console message I included in my previous message contains the exact contents of one of the directives, as an example. I would be happy to share with you more details, but not in this semi-public place. Let me know how you wish to proceed.