I've setted up Piwik like you suggest in you FAQ. However, to be able to use it, I have to allow
script-src 'unsafe-inline', which I don't want.
Will you make an enhancement to avoid this?
you could use 'nonce-myrandomstring' or move the snippet into an external js file
My piwik.js file is on my server and the snippet is already in an external file. I've tried to add the nonce on it but I still have the issue.
It doesn't work for me. The only exception I have from the FAQ is that piwik.js is loaded from the same domain. I may do something wrong but I really don't see what.
Ok we will need to investigate.
If anyone knows about CSP feel free to take a look (Pull request welcome!).
Did you have some news for this problem ?
I am using the piwik script in an external file too to prevent having any inline js code in my pages, and I am encountering the same problem as @mchandelier.
Do you have an idea why the piwik script, which is embedded in an external script, require using
script-src 'unsafe-inline' ?
We also got another feedback today on the CSP FAQ:
Here was the feedback:
I do not understand this guide. Based on this guide I cannot make Matomo CSP-compatible.
Where should I place this script tags? Head or body? Footer?
Why do I need two files? Why can't I just have tracking.js and paste there the normal tracking code?