New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On opt-out page move js to separate file to fix inline-script (CSP) #12873
On opt-out page move js to separate file to fix inline-script (CSP) #12873
Conversation
FYI: Merging this PR would break matomo-org/tracker-proxy#37 which we finished yesterday cc @diosmosis |
This PR should now also work with the patched tracker-proxy which PR is referenced above. To accieve this an additional get parameter ( I'm not that familiar with the matomo routing so if there is a better way to do this please tell me. |
I don't think using a special URL that doesn't actually work in matomo (ie, the This should ideally be handled entirely in the tracker-proxy (so matomo doesn't have to know the tracker-proxy exists). Something like, in the tracker-proxy for matomo-proxy.php, rewriting URLs to JS/CSS files in the output to point to matomo-proxy.php instead (eg, |
@mattab Can you take an other look at the branches. I changed the proxy.php to replace the path in the content to point to the If that is ok with you I would create a new PR for the proxy and master |
Was this closed by accident @mattab ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating @Skywalker-11! There's an extra file that was added to the PR and tmp/.gitkeep shouldn't have it's file mode changed. I'll review the tracker-proxy changes next and we'll merge that first when everything's ready.
misc/user/.htaccess
Outdated
Require all granted | ||
</IfModule> | ||
</IfModule> | ||
</Files> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file was added by accident I think.
BTW, if you could create a PR for your tracker-proxy changes (which in general look good), that would be helpful. |
Yes files shouldn't be there. Maybe leftovers from setup or phpunit. |
I'll reopen it. |
…ow is closed. Otherwise, if reload takes more than 1s, the interval will run again and try another reload, cancelling the pending one. Which results in no reload occuring.
…ne-script CSP (matomo-org#12873) * on opt-out page move js to separate file to fix inline-script (CSP) * Compatibility of separate optOutJs with tracker-proxy * remove destinction between proxy and normal request * revert unwanted changes of /tmp/.gitkeep and created .htaccess * In optout form, clear new window closed check interval after new window is closed. Otherwise, if reload takes more than 1s, the interval will run again and try another reload, cancelling the pending one. Which results in no reload occuring.
This PR moves the javascript part of the opt-out page that can be loaded via an iframe to a separate file. This allows the usage of CSP without the need to allow inline scripts or using hashes