@Skywalker-11 opened this Pull Request on May 9th 2018

This PR moves the javascript part of the opt-out page that can be loaded via an iframe to a separate file. This allows the usage of CSP without the need to allow inline scripts or using hashes

@tsteur commented on May 9th 2018 Member

FYI: Merging this PR would break https://github.com/matomo-org/tracker-proxy/pull/37 which we finished yesterday cc @diosmosis

@Skywalker-11 commented on May 14th 2018

This PR should now also work with the patched tracker-proxy which PR is referenced above. To accieve this an additional get parameter (matomoproxy) is added on the proxy. If it doesn't exist in the request of the opt-out iframe the normal path plugins/CoreAdminHome/javascripts/optOut.js is used.
If the parameter matomoproxy exists it will use ?module=CoreAdminHome&action=getOptOutJs as path for the script which is translated by the proxy to the normal path which then will be returned.

I'm not that familiar with the matomo routing so if there is a better way to do this please tell me.

@diosmosis commented on May 17th 2018 Member

I don't think using a special URL that doesn't actually work in matomo (ie, the ?module=CoreAdminHome&action=getOptOutJs) as a sort of message passing between matomo and the tracker-proxy is a good idea. It's not really clear from looking at the matomo code that this is what that special URL is for and it couples two entire repos together.

This should ideally be handled entirely in the tracker-proxy (so matomo doesn't have to know the tracker-proxy exists). Something like, in the tracker-proxy for matomo-proxy.php, rewriting URLs to JS/CSS files in the output to point to matomo-proxy.php instead (eg, tracker-proxy/matomo-proxy.php?file=plugins/CoreAdminHome/javascripts/optOut.js). Would probably need to add a new global variable for this that is set in matomo-proxy.php & handled in proxy.php.

Powered by GitHub Issue Mirror