Script in Custom-Html Tag does not support nonce attribut

nezee · September 23, 2022, 8:57am

After a lot of trial and error and debugging we found out that it is not possible to set the nonce attribut in a script tag like this:

<script type="text/javascript" nonce={{nonce_value}}>

At some point Matomo is calling a function called “cloneScript” and in that function it is not cloning the nonce attribut.

Is there a reason for that? Unfortunately this means we cannot use the A/B testing feature of Matomo, unless there is another way to integrate the script.

Any ideas?

heurteph-ei · September 23, 2022, 2:52pm

I think this is related to:

github.com/matomo-org/tag-manager

Fix for Tagmanager working along with CSP when triggering a HTML tag

opened 10:19PM - 23 May 21 UTC

closed 05:16AM - 01 Aug 22 UTC

KarthikRaja1388

Customer's explanation of the issue: I create a nonce for the actual embed Sc…ript, read: the regular matomo one, and the embed script for the tag manager. These two codes work perfectly fine. No csp issues arrise here. Now lets say, i create a tag, that for the sake of simplicity, fires on every click to the page. The tag it self is a "CUSTOM HTML" tag, that simply says: '<script>console.log("Hello from the Tag")</script>' and gets appended to the end of the html body. When i now click on the webpage the tag gets fired and i get a csp viloation. "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive ...". From my understanding this is correct, as a script gets inserted that neither has a nonce nor a hash and therefore can not be deemed to be trustworthy. The tag-manager tho, gets loaded via a nonce and therefore is trustworthy, i'd now need a mechanism to add the nonce from the tagmanager to script elements that get created by the matomo tag manager too. And this is what i struggle to do. Adding it as a custom-var does not work (read from a header eg) as the tagmanagment script removes most attributes of scripts added. Sure, I could use script hashes, but then i'd need to know every script i'll add beforehand and add its hash to my CSP-Header, which defeats the purpose of the tag management.

nezee · October 3, 2022, 6:36am

Dear Phillipe, thank you for linking this issue, I guess that would solve my problem. I will try again with the new version as soon as it will be available.