Page overlay not working - cross-domain Matomo - error "You can't access this resource as it requires 'view' access for the website id"

Hello all.

I have searched for this, but the view topics I could find do not apply to our situation.

We’re using Matomo 3.6.0, a central installation for multiple websites, and we’re logged in with the super-user (but also a regular user with the appropriate access rights has been tested)

We’re using the Page Overlay feature with “overlay_disable_framed_mode = 1” because of cross-domain.
We’ve tried to set-up the appropriate frame-related headers which works (the site could load in the frame) but the tracker then complaints with the error

Blocked a frame with origin “(website)” from accessing a frame with origin “(matomo installation)”. Protocols, domains, and ports must match.

every attempt to get this cross-domain scripting allowed failed, so we went with the frame-less option.

the website loads, but the site then responds with an alert-box with the before-mentioned error;

Error: You can’t access this resource as it requires ‘view’ access for the website id = 1.

we’ve tried with the super-user account, we’ve tried with an admin account which has (verified) the ‘view’ access right on the website in question.

I hope any of you recognises this problem and has a fix for it, because we’re at a loss.

some topics hint a bug, but supposedly fixed in 3.5
some topics hint at frame-busting (which we disabled on the site to be sure, no effect)
other topics refer to piwik 1 and 2, way too old.

any and all help is appreciated.

Thank you.

Remon.

Just to be sure: You setup the headers both ways? You need to allow Matomo to frame the page and the page to access Matomo.

We did, but didn’t help, so we probably did not do it properly, but to avoid framing issues, we went with the frame-less option for now. That results in the error message. Once that’s been solved, we can try to get the framing working.

Oh, forgot to mention in topic;

we also added the ‘cors_domains[]’ items to the config file, didn’t help

Thank you for your response. We’ll keep trying :slight_smile:

It seems like you are not the only user with that problem:

Golden tip, by the way, the ‘cors_domains’ setting seems not to do anything. Would have suspected/hoped that setting would be used to set the appropriate content-security-policy headers, but alas, it does not.

I have hard-coded the CSP frame-ancestors with all domains used in the Matomo installation and the framing issue is resolved.

for future reference:
on matomo site, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-website-1-domain_com www_your-website-1-domain_com your-website-2-domain_com www.your-website-2-domain_com”

on ‘client’ sites, htaccess:
header always set Content-Security-Policy “frame-ancestors ‘self’ your-matomo-service-domain_com”

that did the trick for me, again, Fabian, thanks :slight_smile:

the access-control related error remains however…

(as I can only post 2 links, I have mangled the domain names :frowning: they were just indicative fake names, hope everyone understands what is meant)

In GitHub, a pull request is made that solves the problem. I couldn’t find the perfect spot to say this, to confirm the solution works, so here it is.

the pull request: In Overlay do not call API directly since it does not have access to the token auth. by diosmosis · Pull Request #13420 · matomo-org/matomo · GitHub

Could not find a “get diff file” button, so I manually applied these changes to the files in question and it works beautifully! thank you all!!!

13406-overlay-api.patch (3,9 KB)