@nicwortel opened this Issue on December 10th 2020

I noticed a drop of visitors on my website and a sudden spike of CSP reports after upgrading to Matomo 4.

It seems like the sendBeacon call instead of the old tracking method is the culprit. If I'm not mistaken, the previous tracker loaded an image (which had to be whitelisted in the CSP with img-src) whereas the sendBeacon method needs to be whitelisted with connect-src.

I don't think there's much that can be done to solve this, other than documenting this change and the fact that a website's CSP should now include connect-src <matomo-domain>.

@tsteur commented on December 14th 2020 Member

Thanks for noticing this @nicwortel

Because Matomo might still fallback to other ways when send beacon is not requested I suppose we need to add this. On https://matomo.org/faq/general/faq_20904/ we have below example. Wondering how you adjusted it? I suppose we still need img-src etc as a fallback (although maybe browsers that don't support send beacon also maybe don't support CSP but might be still good to allow both).

Header set Content-Security-Policy "default-src 'self'; script-src 'self' http://matomo.example.com; img-src 'self' http://matomo.example.com; style-src 'self'; frame-ancestors 'self'; frame-src 'self';"

@dns2utf8 commented on December 21st 2020

I have noticed that the update to 4.0.0 introduced a problem with the daily processing. After updating 4.0.5 and adding connect-src the numbers returned to normal.
It is important to note, that we did not loose the data of the day of the update and CSP fix. So there was/is something wrong with the processing too.

@tsteur commented on December 22nd 2020 Member

@dns2utf8 could you maybe post your full CSP header now? (feel free to replace your domain with matomo.example.com). that be great

@nicwortel commented on December 22nd 2020

(...) Wondering how you adjusted it?

Here's the diff from my commit:

- add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;
+ add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; child-src www.youtube-nocookie.com; form-action duckduckgo.com; connect-src <matomo-domain>; frame-ancestors 'none'; img-src 'self' <matomo-domain>; script-src 'self' <matomo-domain> 'report-sample'; style-src 'self'; require-trusted-types-for 'script'; report-uri <report-uri.com>; report-to default" always;

It seems like GitHub does not highlight the actual changed words, but all I did was to add the connect-src <matomo-domain>;.

@tsteur commented on December 22nd 2020 Member

Thanks @nicwortel I've adjusted the example in our FAQ https://matomo.org/faq/general/faq_20904/

I've also updated the 4.0 and the 4.1 changelog to mention this change.

@paladox commented on December 23rd 2020 Contributor

Weird thing is we have a CSP policy but we didn't have that problem. Also using connect-src can break loading js from your own site.

This Issue was closed on December 22nd 2020
Powered by GitHub Issue Mirror