That is correct. The print button simply uses window.print() and if you forbid inline code via CSP, that won’t work. That will be a classical “won’t fix” since it would be totally unreasonable to include an extra .js file just for this one minimal function. Especially because WordPress itself will not work without ‘unsafe-inline’ and ‘unsafe-eval’ in the first place. If you really need to be that strict, just simply don’t use the print button. It’s function is merely a sometimes convenient offer that can easily be circumvented by using the native browser options.
If you really, really, really need a strict CSP and you really, really, really need the print button, you could try to work something out with script-src-attr, but that is still not supported by all browsers. Like I said, you probably would be better of just getting rid of the print button.
Cheers
JP
With this policy, you can be contributing to WordPress don’t work without ‘unsafe-inline’ and ‘unsafe-eval’.
Some people we are trying to promote a safer Internet web.
