Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 4 can break websites with a Content Security Policy #16935

Closed
nicwortel opened this issue Dec 10, 2020 · 6 comments
Closed

Version 4 can break websites with a Content Security Policy #16935

nicwortel opened this issue Dec 10, 2020 · 6 comments
Assignees
@tsteur
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base.
Milestone
4.2.0

Comments

@nicwortel
Copy link

I noticed a drop of visitors on my website and a sudden spike of CSP reports after upgrading to Matomo 4.

It seems like the sendBeacon call instead of the old tracking method is the culprit. If I'm not mistaken, the previous tracker loaded an image (which had to be whitelisted in the CSP with img-src) whereas the sendBeacon method needs to be whitelisted with connect-src.

I don't think there's much that can be done to solve this, other than documenting this change and the fact that a website's CSP should now include connect-src <matomo-domain>.
@nicwortel nicwortel mentioned this issue Dec 10, 2020
Closed
paladox added a commit to miraheze/puppet that referenced this issue Dec 10, 2020
@paladox
Varnish: Add connect-src 'self' to csp if host is mon1.miraheze.org
d538d1c 
See matomo-org/matomo#16935
@paladox paladox mentioned this issue Dec 10, 2020
Merged
paladox added a commit to miraheze/puppet that referenced this issue Dec 10, 2020
@paladox
Varnish: Add connect-src 'self' to csp if host is mon1.miraheze.org (#…
565d80d 
…1551)

See matomo-org/matomo#16935
@Findus23 Findus23 added the c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. label Dec 11, 2020
@tsteur tsteur added this to the 4.0.x milestone Dec 14, 2020
@tsteur
Copy link
Member

tsteur commented Dec 14, 2020

Thanks for noticing this @nicwortel

Because Matomo might still fallback to other ways when send beacon is not requested I suppose we need to add this. On https://matomo.org/faq/general/faq_20904/ we have below example. Wondering how you adjusted it? I suppose we still need img-src etc as a fallback (although maybe browsers that don't support send beacon also maybe don't support CSP but might be still good to allow both).

Header set Content-Security-Policy "default-src 'self'; script-src 'self' http://matomo.example.com; img-src 'self' http://matomo.example.com; style-src 'self'; frame-ancestors 'self'; frame-src 'self';"

@dns2utf8
Copy link

I have noticed that the update to 4.0.0 introduced a problem with the daily processing. After updating 4.0.5 and adding connect-src the numbers returned to normal.
It is important to note, that we did not loose the data of the day of the update and CSP fix. So there was/is something wrong with the processing too.

@mattab mattab modified the milestones: 4.0.x, 4.1.0, 4.2.0 Dec 21, 2020
@tsteur
Copy link
Member

tsteur commented Dec 22, 2020

@dns2utf8 could you maybe post your full CSP header now? (feel free to replace your domain with matomo.example.com). that be great

@nicwortel
Copy link
Author

(...) Wondering how you adjusted it?

Here's the diff from my commit:

- add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;
+ add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; connect-src <matomo-domain>; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;

It seems like GitHub does not highlight the actual changed words, but all I did was to add the connect-src <matomo-domain>; .

@tsteur
Copy link
Member

tsteur commented Dec 22, 2020

Thanks @nicwortel I've adjusted the example in our FAQ https://matomo.org/faq/general/faq_20904/

I've also updated the 4.0 and the 4.1 changelog to mention this change.

@tsteur tsteur closed this as completed Dec 22, 2020
@tsteur tsteur self-assigned this Dec 22, 2020
@paladox
Copy link
Contributor

paladox commented Dec 23, 2020

Weird thing is we have a CSP policy but we didn't have that problem. Also using connect-src can break loading js from your own site.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsteur tsteur

Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base.
Projects
None yet
Milestone
4.2.0
Development

No branches or pull requests
6 participants
@tsteur @mattab @dns2utf8 @nicwortel @paladox @Findus23