nezee
September 23, 2022, 8:57am
1
After a lot of trial and error and debugging we found out that it is not possible to set the nonce attribut in a script tag like this:
<script type="text/javascript" nonce={{nonce_value}}>
At some point Matomo is calling a function called “cloneScript” and in that function it is not cloning the nonce attribut.
Is there a reason for that? Unfortunately this means we cannot use the A/B testing feature of Matomo, unless there is another way to integrate the script.
Any ideas?
I think this is related to:
opened 10:19PM - 23 May 21 UTC
closed 05:16AM - 01 Aug 22 UTC
Customer's explanation of the issue:
I create a nonce for the actual embed Sc… ript, read: the regular matomo one, and the embed script for the tag manager. These two codes work perfectly fine. No csp issues arrise here.
Now lets say, i create a tag, that for the sake of simplicity, fires on every click to the page. The tag it self is a "CUSTOM HTML" tag, that simply says: '<script>console.log("Hello from the Tag")</script>' and gets appended to the end of the html body.
When i now click on the webpage the tag gets fired and i get a csp viloation. "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive ...". From my understanding this is correct, as a script gets inserted that neither has a nonce nor a hash and therefore can not be deemed to be trustworthy. The tag-manager tho, gets loaded via a nonce and therefore is trustworthy, i'd now need a mechanism to add the nonce from the tagmanager to script elements that get created by the matomo tag manager too. And this is what i struggle to do. Adding it as a custom-var does not work (read from a header eg) as the tagmanagment script removes most attributes of scripts added.
Sure, I could use script hashes, but then i'd need to know every script i'll add beforehand and add its hash to my CSP-Header, which defeats the purpose of the tag management.
1 Like
nezee
October 3, 2022, 6:36am
3
Dear Phillipe, thank you for linking this issue, I guess that would solve my problem. I will try again with the new version as soon as it will be available.
KHJA
July 14, 2023, 8:21am
4
Hi @nezee ,
I am currently investigating the solution to add a nonce-value to the matomo script that we try to implement.
I’m wondering if you were able to solve this issue after the update of 2022.2?
nezee
July 14, 2023, 11:42am
5
Hi @KHJA ,
yes, after the update it worked as expected!