@lchandelier opened this Issue on May 19th 2017

I've setted up Piwik like you suggest in you FAQ. However, to be able to use it, I have to allow script-src 'unsafe-inline', which I don't want.

Will you make an enhancement to avoid this?

@godofdream commented on May 20th 2017

you could use 'nonce-myrandomstring' or move the snippet into an external js file

@lchandelier commented on May 22nd 2017

My piwik.js file is on my server and the snippet is already in an external file. I've tried to add the nonce on it but I still have the issue.

@mattab commented on June 21st 2017 Member

Hi @mchandelier do you confirm that our instructions at https://piwik.org/faq/general/faq_20904/ are outdated and that it doesn't just work?

@lchandelier commented on June 21st 2017

Hi @mattab,
It doesn't work for me. The only exception I have from the FAQ is that piwik.js is loaded from the same domain. I may do something wrong but I really don't see what.

@mattab commented on June 22nd 2017 Member

Ok we will need to investigate.

If anyone knows about CSP feel free to take a look (Pull request welcome!).

@mbarbey commented on August 15th 2017

Hi @mattab,
Did you have some news for this problem ?

I am using the piwik script in an external file too to prevent having any inline js code in my pages, and I am encountering the same problem as @mchandelier.

Do you have an idea why the piwik script, which is embedded in an external script, require using script-src 'unsafe-inline' ?

@mattab commented on June 28th 2019 Member

We also got another feedback today on the CSP FAQ:

Here was the feedback:

I do not understand this guide. Based on this guide I cannot make Matomo CSP-compatible.
Where should I place this script tags? Head or body? Footer?
Why do I need two files? Why can't I just have tracking.js and paste there the normal tracking code?

Powered by GitHub Issue Mirror