Page overlay not working - cross-domain Matomo - error "You can't access this resource as it requires 'view' access for the website id"

(Remon Pel) #1

Hello all.

I have searched for this, but the view topics I could find do not apply to our situation.

We’re using Matomo 3.6.0, a central installation for multiple websites, and we’re logged in with the super-user (but also a regular user with the appropriate access rights has been tested)

We’re using the Page Overlay feature with “overlay_disable_framed_mode = 1” because of cross-domain.
We’ve tried to set-up the appropriate frame-related headers which works (the site could load in the frame) but the tracker then complaints with the error

Blocked a frame with origin “(website)” from accessing a frame with origin “(matomo installation)”. Protocols, domains, and ports must match.

every attempt to get this cross-domain scripting allowed failed, so we went with the frame-less option.

the website loads, but the site then responds with an alert-box with the before-mentioned error;

Error: You can’t access this resource as it requires ‘view’ access for the website id = 1.

we’ve tried with the super-user account, we’ve tried with an admin account which has (verified) the ‘view’ access right on the website in question.

I hope any of you recognises this problem and has a fix for it, because we’re at a loss.

some topics hint a bug, but supposedly fixed in 3.5
some topics hint at frame-busting (which we disabled on the site to be sure, no effect)
other topics refer to piwik 1 and 2, way too old.

any and all help is appreciated.

Thank you.


(Fabian Dellwing) #2

Just to be sure: You setup the headers both ways? You need to allow Matomo to frame the page and the page to access Matomo.

(Remon Pel) #3

We did, but didn’t help, so we probably did not do it properly, but to avoid framing issues, we went with the frame-less option for now. That results in the error message. Once that’s been solved, we can try to get the framing working.

Oh, forgot to mention in topic;

we also added the ‘cors_domains[]’ items to the config file, didn’t help

Thank you for your response. We’ll keep trying :slight_smile:

(Fabian Dellwing) #4

It seems like you are not the only user with that problem:

(Remon Pel) #5

Golden tip, by the way, the ‘cors_domains’ setting seems not to do anything. Would have suspected/hoped that setting would be used to set the appropriate content-security-policy headers, but alas, it does not.

I have hard-coded the CSP frame-ancestors with all domains used in the Matomo installation and the framing issue is resolved.

for future reference:
on matomo site, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-website-1-domain_com www_your-website-1-domain_com your-website-2-domain_com www.your-website-2-domain_com”

on ‘client’ sites, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-matomo-service-domain_com”

that did the trick for me, again, Fabian, thanks :slight_smile:

the access-control related error remains however…

(as I can only post 2 links, I have mangled the domain names :frowning: they were just indicative fake names, hope everyone understands what is meant)

(Remon Pel) #6

In GitHub, a pull request is made that solves the problem. I couldn’t find the perfect spot to say this, to confirm the solution works, so here it is.

the pull request: In Overlay do not call API directly since it does not have access to the token auth. by diosmosis · Pull Request #13420 · matomo-org/matomo · GitHub

Could not find a “get diff file” button, so I manually applied these changes to the files in question and it works beautifully! thank you all!!!

(Fabian Dellwing) #7

13406-overlay-api.patch (3,9 KB)