UPDATE: This issue was caused by ad blocker plugins in our test browsers blocking Matomo from loading.
Although the Matomo maintainers claim it works under the strictest CSP settings, it fails to execute on all major browsers. The error is "blocked by client" as expected when a script is blocked by CSP.
The Matomo JS file appears to contain a call to create and embed a new script in the DOM, which is one possible thing violating the CSP.
The CSP settings are:
<meta http-equiv=\"Content-Security-Policy\" content=\"frame-src 'self'; script-src 'self' https://www.google.com/ https://www.gstatic.com/ \" />
Matomo's claim to work under strict CSP is here:
I have implemented the loading of the JS file in the way they suggest.
Woops wrong repo, sorry. That ticket should have gone on our web application's repo :D If this turns out not to be an issue with our web application config after further investigation I'll open an issue here.
In case anyone comes across this ticket, the issue we were having was ad blocker plugins in all the test browsers were blocking Matomo from running, and we were getting errors such as "net::ERR_BLOCKED_BY_CLIENT" in Chrome. Disabling the ad blocker plugins of course allowed Matomo to run, and it now works even with our very strict Content Security Policy enabled.
The plugin we were using was uBlock Origin https://github.com/gorhill/uBlock