New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP unsafe-inline #11720
Comments
you could use 'nonce-myrandomstring' or move the snippet into an external js file |
My piwik.js file is on my server and the snippet is already in an external file. I've tried to add the nonce on it but I still have the issue. |
Hi @mchandelier do you confirm that our instructions at https://piwik.org/faq/general/faq_20904/ are outdated and that it doesn't just work? |
Hi @mattab, |
Ok we will need to investigate. If anyone knows about CSP feel free to take a look (Pull request welcome!). |
Hi @mattab, I am using the piwik script in an external file too to prevent having any inline js code in my pages, and I am encountering the same problem as @mchandelier. Do you have an idea why the piwik script, which is embedded in an external script, require using |
We also got another feedback today on the CSP FAQ: Here was the feedback:
|
I followed the instructions in https://matomo.org/faq/general/faq_20904/ and it seems to be working. I use this policy on my server.
See for example this site: https://xdeb.org/. I have implemented this in my Hugo theme frjo/hugo-theme-zen. |
It would be better to supply the sideID and other parameters via URL parameters to the tracking script. This way would be 100% CSP-compliant without the need of using a second JS file. The matomo script would read this attributes from
The parameters can be parsed via
Here for an IE polyfill: https://github.com/amiller-gh/currentScript-polyfill |
Hi all, On the admin interface, there are many usage of the inline script and a usage also of eval (I see another ticket for the eval but apparently it was close with the correction). The more easy patch is to use nonce base64 encode for each line where JS inline called (also for css). Example of code can be added on the core\Twig.php (maybe another place is better...) class PiwikTwigNonceJs extends \Twig_Extension {
private $nonce;
/**
* Generates a random nonce value in base64.
* @return string
*/
public function getNonce() : String
{
// Only is nonce is null
if (!$this->nonce) {
$this->nonce = base64_encode(random_bytes(20));
}
return $this->nonce;
}
/**
* @return array
*/
public function getFunctions()
{
return [
new Twig_SimpleFunction('csp_nonce', [$this, 'getNonce']),
];
}
}
// @ the end of the Twig class
$this->twig->addExtension(new PiwikTwigNonceJs()); Modify the template file to add the meta at the begin of the (example on plugins/Morpheus/templates/layout.twig)
And each template contains the script inline like plugins/Morpheus/templates/_jsGlobalVariables.twig
|
Hello everyone, ixbarbarbar's solution gave me this:
I changed Is there something I missed? |
Hi @perdittmann, that code is using an old version of twig that matomo doesn't use anymore. Instead of the /core/Twig.php changes you made, these changes should work: https://github.com/matomo-org/matomo/compare/csp-nonce?expand=1 can you try them out? |
Hi @diosmosis, thank you for your help! I updated every instance of <script> tags with the nonce-Code (throughout the plugins folder, about 45). I suppose I will have to do that again with every Matomo update? Alas, the admin panel is still blank below the blue header.
(close to the end of the < head >). Am I in luck and you could point me in the right direction again? |
If there only was a way to search the entire source code … 🤦 getJsInclusionDirective() is defined in core/AssetManager.php. |
hi @perdittmann, you can use |
(I had just realized I can search the source code right here, that was me being self-deprecating. 😄) |
Do we have a CSP compliant solution yet? |
@mattab I have just added this issue for prioritisation - it would be a good security improvement to either update the docs to provide guidance on this or suggest solutions. |
This issue came up in a Pentest we had for one of our customers. The CSP can be setup in a good way in the frontend (either using a separate file or by using a nonce). But the Matomo backend currently can not be used without |
without |
The tracker itself ( I know that this is not a task that would be solved in a few hours. But for Matomo this would make a big difference when it should be used by big companies or public authorities as they might complain about the weak CSP header in the backend. |
You're right. piwik.js only uses that in a part that is used for tests only, so that won't occur when tracking. |
With |
Not only plugins. There is for example https://github.com/matomo-org/matomo/blob/5.x-dev/plugins/CoreVue/polyfills/dist/MatomoPolyfills.min.js or https://github.com/matomo-org/matomo/blob/5.x-dev/plugins/UserCountryMap/javascripts/vendor/jquery.qtip.min.js#L20-L19, which are using |
Hi, I was wondering:
Cristian |
Hi @totola-clx, Besides that: The login page at least uses some JS. I don't know whether some of that JS is required. |
Hi,
I've setted up Piwik like you suggest in you FAQ. However, to be able to use it, I have to allow
script-src 'unsafe-inline'
, which I don't want.Will you make an enhancement to avoid this?
The text was updated successfully, but these errors were encountered: