HeatmapSessionRecording Plguin CSP error

We are unable to play session recordings created thru HeatmapSessionRecordingPlugin.
Below are the errors from browser’s F12 dev tools.

Refused to frame ‘matomoint.myorg/index.php?module=HeatmapSessionRecording&action=embedPage&idSite=3&idLogHsr=1&idSiteHsr=3’ because it violates the following Content Security Policy directive: “frame-src youtube youtube-nocookie”.
index.php?module=Proxy&action=getUmdJs&chunk=2&cb=b362d5d78c2219e0b7d3c169d55b7e58:195

Uncaught (in promise) SecurityError: Failed to read a named property ‘recordingFrame’ from ‘Window’: Blocked a frame with origin “matomoint.myorg” from accessing a cross-origin frame.
at index.php?module=Proxy&action=getUmdJs&chunk=2&cb=b362d5d78c2219e0b7d3c169d55b7e58:195:2821module=Proxy&action=getUmdJs&chunk=2&cb=b362d5d78c2219e0b7d3c169d55b7e58:195:28217

Below is the current CSP.

content-security-policy

default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data:; frame-src youtube youtube-nocookie”.

How do I fix this error?

Hi there,

It looks like the Content Security Policy (CSP) currently in place is preventing the session recording iframe from loading correctly.

Right now, your CSP only allows framing from youtube. This blocks iframes from any other domain, including your own Matomo instance.

frame-src youtube youtube-nocookie

You could try to modify your frame-src like this:

frame-src 'self' https://matomoint.myorg youtube youtube-nocookie;

Or, if your main site and Matomo are on different subdomains or protocols, list both explicitly:

frame-src 'self' https://www.yoursite.com https://matomoint.myorg youtube youtube-nocookie;

This should allow the session playback iframe to load and play properly.