New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version 4 can break websites with a Content Security Policy #16935
Comments
Thanks for noticing this @nicwortel Because Matomo might still fallback to other ways when send beacon is not requested I suppose we need to add this. On https://matomo.org/faq/general/faq_20904/ we have below example. Wondering how you adjusted it? I suppose we still need
|
I have noticed that the update to 4.0.0 introduced a problem with the daily processing. After updating 4.0.5 and adding |
@dns2utf8 could you maybe post your full CSP header now? (feel free to replace your domain with |
Here's the diff from my commit: - add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;
+ add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; connect-src <matomo-domain>; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always; It seems like GitHub does not highlight the actual changed words, but all I did was to add the |
Thanks @nicwortel I've adjusted the example in our FAQ https://matomo.org/faq/general/faq_20904/ I've also updated the 4.0 and the 4.1 changelog to mention this change. |
Weird thing is we have a CSP policy but we didn't have that problem. Also using connect-src can break loading js from your own site. |
I noticed a drop of visitors on my website and a sudden spike of CSP reports after upgrading to Matomo 4.
It seems like the
sendBeacon
call instead of the old tracking method is the culprit. If I'm not mistaken, the previous tracker loaded an image (which had to be whitelisted in the CSP withimg-src
) whereas thesendBeacon
method needs to be whitelisted withconnect-src
.I don't think there's much that can be done to solve this, other than documenting this change and the fact that a website's CSP should now include
connect-src <matomo-domain>
.The text was updated successfully, but these errors were encountered: