I noticed a drop of visitors on my website and a sudden spike of CSP reports after upgrading to Matomo 4.
It seems like the
sendBeacon call instead of the old tracking method is the culprit. If I'm not mistaken, the previous tracker loaded an image (which had to be whitelisted in the CSP with
img-src) whereas the
sendBeacon method needs to be whitelisted with
I don't think there's much that can be done to solve this, other than documenting this change and the fact that a website's CSP should now include
Thanks for noticing this @nicwortel
Because Matomo might still fallback to other ways when send beacon is not requested I suppose we need to add this. On https://matomo.org/faq/general/faq_20904/ we have below example. Wondering how you adjusted it? I suppose we still need
img-src etc as a fallback (although maybe browsers that don't support send beacon also maybe don't support CSP but might be still good to allow both).
Header set Content-Security-Policy "default-src 'self'; script-src 'self' http://matomo.example.com; img-src 'self' http://matomo.example.com; style-src 'self'; frame-ancestors 'self'; frame-src 'self';"
I have noticed that the update to 4.0.0 introduced a problem with the daily processing. After updating 4.0.5 and adding
connect-src the numbers returned to normal.
It is important to note, that we did not loose the data of the day of the update and CSP fix. So there was/is something wrong with the processing too.
@dns2utf8 could you maybe post your full CSP header now? (feel free to replace your domain with
matomo.example.com). that be great
(...) Wondering how you adjusted it?
Here's the diff from my commit:
- add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always; + add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; connect-src <matomo-domain>; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;
It seems like GitHub does not highlight the actual changed words, but all I did was to add the
Weird thing is we have a CSP policy but we didn't have that problem. Also using connect-src can break loading js from your own site.