[answered] Content-Security-Policy Support

(kkretsch) #1

When using the new FF4 reply header X-Content-Security-Policy we should not use any inline javascript. So the embedding of the piwik tracking code seems to get complicated.
The code snippet should be available in an alternative format ready for CSP support.
Any hints how to use it manually for CSP? Any jQuery needed for this?

(vipsoft) #2

Sorry this is a wontfix. Implement "Content Security Policy" (CSP) · Issue #1542 · matomo-org/matomo · GitHub

(vipsoft) #3

The only two practical workarounds are:

  • you put the tracking code in an external js file, or
  • you enable inline scripts by adding the ‘unsafe-inline’ source expression keyword to the script-src directive (but this disables XSS protection)

A third workaround involves crypto and would require a change to your app (as opposed to Piwik).