New Chrome safety feature blocking /matomo.php CORB

aron-edwards · January 19, 2021, 10:21am

Currently using cloud matomo

Info from Chrome

Seems calls to get https://****.matomo.cloud/matomo.php are failing on chrome due to a CORB error

matomo.js:35 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://****.matomo.cloud/matomo.php with MIME type application/json

Fix from google suggests

we recommend informing the website and requesting that they correct the "Content-Type" header for the response
Also may be triggered by "X-Content-Type-Options: nosniff" in header
https://www.chromium.org/Home/chromium-security/corb-for-developers

Lukas · January 19, 2021, 11:48am

Hi,

Can you by chance send me a direct message with the link to your website where you added the tracking?

According to https://www.chromestatus.com/feature/5629709824032768 this feature was enabled by default in Chrome in 2018 and it is the first time I hear of it, so I’d like to have a closer look at what is going wrong.

Lukas · February 4, 2021, 10:24am

Hi,

It turns out this might have been a bug in Matomo:

github.com/matomo-org/matomo

Tracking requests might not be loaded because of CORB

opened 11:26PM - 27 Jan 21 UTC

closed 11:33PM - 04 Feb 21 UTC

tsteur

Bug Regression

In the browser developer console I see a warning linking to https://www.chromest…atus.com/feature/5629709824032768 anyone seen this before? See https://www.chromium.org/Home/chromium-security/corb-for-developers for more information. HTTP with 204 seems to work but 200 blocked. `send_image=0` is used so it should have sent an HTTP 204 header. Actually... this output happens because of bulk requests. The request with HTTP 200 was sent as a bulk request in this example. ![image](https://user-images.githubusercontent.com/273120/106067345-64755600-6163-11eb-88af-b99e08f601f6.png) response headers: ![image](https://user-images.githubusercontent.com/273120/106067376-6fc88180-6163-11eb-9a50-5c648fb55b6b.png) The console warning reads `Cross-Origin Read Blocking (CORB) blocked cross-origin response XYZ with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.` For a URL where this can be reproduced feel free to ping me privately. I'm not sure if the tracking request will be executed or if just the response is not loaded. Goal of this issue is to make sure such requests are tracked and the warning is no longer shown.

github.com/matomo-org/matomo

Send 204 response for bulk requests to avoid possible CORB issue

matomo-org:4.x-dev ← matomo-org:bulkresponse

opened 02:51PM - 02 Feb 21 UTC

sgiehl

+47 -7

### Description: fixes #17159 ### Review * [ ] Functional review done …* [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support) * [ ] Security review done [see checklist](https://developer.matomo.org/guides/security-in-piwik#checklist) * [ ] Code review done * [ ] Tests were added if useful/possible * [ ] Reviewed for breaking changes * [ ] Developer changelog updated if needed * [ ] Documentation added if needed * [ ] Existing documentation updated if needed