SRI sub resource integrity hashes

That looks correct, but I have not used Apache before, so I don’t know the syntax enough to say if it is.

Even when I release everything with * it doesn’t work out -weird.
Am I the only one who does this?

apparently the attribute crossorigin=“anonymous” is missing
How can I include this in the Matomo Tracking Coder.


You can add any attribute to a HTML tag like g.setAttribute("key","value");, so in this case it would be


Doesn’t the whole thing have to be put into a code together with the SRI hash? Because if I just put it underneath, it still won’t work.


g is the HTML <script> tag.
With g.something you modify this script tag (make it async/defer, add atributes, set the src).
Afterwards with s.parentNode.insertBefore(g,s); it is inserted into the page (before s, which is the first <script> on the page).

So as long as you do it before inserting, you can modfiy that HTML tag as often as you want.

I didn’t really understand that. Could you show me more closely using the example of the tracking code? That would be very nice.

This is the normal tracking code with all variables replaced with longer, more readable names and comments:

var _paq = _paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(["setDocumentTitle", document.domain + "/" + document.title]);
_paq.push(["setCookieDomain", "*"]);
_paq.push(["setDomains", ["*"]]);
(function () {
    var baseUrl = "//";
    _paq.push(['setTrackerUrl', baseUrl + 'piwik.php']);
    _paq.push(['setSiteId', '1']);
    var newScriptTag = document.createElement('script'); // create a new empty <script> tag
    var firstScript = document.getElementsByTagName('script')[0]; // look up the last <script> tag on the page
    newScriptTag.type = 'text/javascript';
    newScriptTag.async = true;
    newScriptTag.defer = true;
    newScriptTag.setAttribute("integrity", "thestring");
    newScriptTag.setAttribute("crossorigin", "anonymous");
    newScriptTag.src = baseUrl + 'piwik.js';
    // at this point `newScriptTag` looks something like this
    // <script type="text/javascript" async="" defer="" integrity="thestring" crossorigin="anonymous" src="https://matomo.example/piwik.js">
    firstScript.parentNode.insertBefore(newScriptTag, firstScript); // now we add this <script> into the page (before the first existing <script> on the page)

The whole script does nothing else than manually building a <script type="text/javascript" async="" defer="" integrity="thestring" crossorigin="anonymous" src="https://matomo.example/piwik.js"> and then adding it to the page.

I give up. There’s always the mistake:

Access to script at ‘’ from origin ‘’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
I tried almost everything to get the Access-Control-Allow-Origin “*” into the header via .htaccess. The error just does not go away

So I could solve the first problem. I had to activate the CORS in the Matomo server in the .htaccess.
The last problem I have now is:
None of the “sha384” hashes in the “integrity” attribute match the contents of the subresource.
Im Google Chrome -> Failed to find a valid digest in the ‘integrity’ attribute for resource ‘’ with computed SHA-256 integrity ‘tSYI65ATDyYdOFB/dEXnP5xU/em0gdI/GYe6/R7VCQo=’. The resource has been blocked.
What does this mean?


According to both and openssl:

➜  ~/tmp wget
➜  ~/tmp openssl dgst -sha384 -binary matomo.js | openssl base64 -A 

the correct hash is

What did you enter?

Wow, your hash works. Oh, man, what did I do wrong?

I went to Then entered the domain and copied the HAsh.

Did not include the matomo.js. I guess that’s it.

I have absolutly no idea:

Now it works oh help. Thank you so much for being patient with me. You’ve been a huge help.
This is as good as it gets.

1 Like