nezee
September 23, 2022, 8:57am
#1
After a lot of trial and error and debugging we found out that it is not possible to set the nonce attribut in a script tag like this:
<script type="text/javascript" nonce={{nonce_value}}>
At some point Matomo is calling a function called “cloneScript” and in that function it is not cloning the nonce attribut.
Is there a reason for that? Unfortunately this means we cannot use the A/B testing feature of Matomo, unless there is another way to integrate the script.
Any ideas?
I think this is related to:
opened 10:19PM - 23 May 21 UTC
closed 05:16AM - 01 Aug 22 UTC
Customer's explanation of the issue:
I create a nonce for the actual embed Sc… ript, read: the regular matomo one, and the embed script for the tag manager. These two codes work perfectly fine. No csp issues arrise here.
Now lets say, i create a tag, that for the sake of simplicity, fires on every click to the page. The tag it self is a "CUSTOM HTML" tag, that simply says: '<script>console.log("Hello from the Tag")</script>' and gets appended to the end of the html body.
When i now click on the webpage the tag gets fired and i get a csp viloation. "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive ...". From my understanding this is correct, as a script gets inserted that neither has a nonce nor a hash and therefore can not be deemed to be trustworthy. The tag-manager tho, gets loaded via a nonce and therefore is trustworthy, i'd now need a mechanism to add the nonce from the tagmanager to script elements that get created by the matomo tag manager too. And this is what i struggle to do. Adding it as a custom-var does not work (read from a header eg) as the tagmanagment script removes most attributes of scripts added.
Sure, I could use script hashes, but then i'd need to know every script i'll add beforehand and add its hash to my CSP-Header, which defeats the purpose of the tag management.
1 Like
nezee
October 3, 2022, 6:36am
#3
Dear Phillipe, thank you for linking this issue, I guess that would solve my problem. I will try again with the new version as soon as it will be available.