Matomo should be setting content security policy to prevent some XSS #17773
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
This is for the Matomo UI (not tracking). For better security we shouldn't leave it up to users to configure content security policy. We should set a CSP to only allow requests to the current domain. Note: When Matomo is behind a load balancer etc then it might not know the correct domain it is on so would need to use trusted hosts maybe (or in some cases).
Not sure if there are any external domains the UI requests. In any case plugins should allow to configure extra rules. These rules would probably be applied to all Matomo requests (as eg if a widget does external requests by the time the widget is requested then it cannot change the CSP). Additionally, for better security, we may give plugins the ability to enrich the CSP for a specific controller/action request. This way they would only change the CSP for the current request but not other pages. This can be useful if a plugin renders an entire page.
We may also need to allow extra configurations through the config file.
We could also be making use of
nonce-source
which may be quite good but not sure it fully works or whether some other plugins may add script tags dynamically etc where this could get difficult.The text was updated successfully, but these errors were encountered: