Sandboxing of tracking code

Reviewing Piwik deployment guidelines here.

I note where tracking code is included, it is running in the same context as the web page, this means anyone able to rewrite piwik.js can run JavaScript in the context of the page. Since typically the same JavaScript is included for admin users of an application, this means that piwik.js needs to be protected with the same controls, as the most sensitive content in any web application instrumented with Piwik.

Whilst Piwik is fairly robust security-wise (for a big PHP application), one is still increasing the attack surface but instrumenting an application with Piwik.

Aside from “image only” tracking, is there any scope for changing this within Piwik? e.g. One could embed the tracking code in an iframe, or otherwise sandbox it, so that if the Piwik server were compromised the compromise doesn’t automatically spread to the instrumented web application?

One can imagine a lot of solutions that sort of work here, subresource integrity hashes in the tracking code; moving the JavaScript file to the application server, but most of these are transient or need more maintenance. Feels to me like it should be a tracking code option to write code with an iframe or other sandbox style control so that there is no risk to the application.

Obviously such an approach reduced the scope of what can be recorded by Piwik, although we can assume many items of interest - screen resolution, browser capabilities, client IP etc, remain the same whatever context they are measured in. One could also imagine serving the Piwik.js with a cache buster and infinite time to live, so that any such attack would only work against new users of you site.

I’m sure this must have been debated in depth before, but not found anything Piwik specific. Some interesting discussion in OWASP Belgium around JSand.

I agree Re integrity hashes for SRI - its also a problem for sites just wanting to view stats, for example, with sites that have:

Content-Security-Policy "default-src ‘none’; base-uri ‘self’; require-sri-for script style; script-src ‘self’ blob: ‘unsafe-inline’; style-src ‘self’ ‘unsafe-inline’; …

or can such sites use .htaccess in the piwik root installation folder with allowances for their CSP ?