Problems with tight CSP policies


(fulanoperez) #1

if a site has something like:

Content-Security-Policy "default-src ‘none’; base-uri ‘self’; require-sri-for script style; script-src ‘self’ blob: ‘unsafe-inline’; style-src ‘self’ ‘unsafe-inline’; …

the browsing client won’t run unsafe-eval js

does the code need to have unsafe-evals ?

would matomo consider using integrity hashes built-in and enabled by default ?


(Lukas Winkler) #2

Hi,

The putting-the-script-into-the-website-part is something that varies widely between use cases.

But you could e.g. move the tracking script into an own website and therefore don’t need to run any inline js:

https://matomo.org/faq/general/faq_20904/

The piwik.js also does not include an eval()


(fulanoperez) #3

the problem is with index.php:

** Message: console message: piwik/index.php?module=Proxy&action=getCoreJs&cb=2b94ecbb85dd46f857357a9e7f94c2d6 @4: EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ blob: ‘unsafe-inline’”.

** Message: console message: piwik/index.php?module=Proxy&action=getCoreJs&cb=2b94ecbb85dd46f857357a9e7f94c2d6 @4: EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ blob: ‘unsafe-inline’”.

the images arn’t a huge problem, but still:

** Message: console message: @0: Refused to load the image ‘plugins.matomo.org/FacebookPageWidgetByAmperage/images/1.0.1/facebook-page-widget.png?w=600’ because it violates the following Content Security Policy directive: “img-src ‘self’ data:”.

** Message: console message: @0: Refused to load the image ‘plugins.matomo.org/MediaAnalytics/images/3.2.6/0_Media_Overview.png?w=600’ because it violates the following Content Security Policy directive: “img-src ‘self’ data:”.

** Message: console message: @0: Refused to load the image ‘plugins-matomo-org/AbTesting/images/3.2.0/0_Report.png?w=600’ because it violates the following Content Security Policy directive: “img-src ‘self’ data:”.

what about if no other domain is available ?


(fulanoperez) #4

also, without ‘unsafe-eval’ it’s not possible to mouse-over and see IP, OS, location in the dashboard visitors in real time…


(fulanoperez) #5

to get around this can a .htaccess be placed in the root matomo installation folder with more permissive allowances ?