Uncaught EvalError due to missing unsafe-eval in CSP

christophberger · September 19, 2018, 6:37am

Hi,

I cannot get a new Matomo instance to work on a server that has no unsafe-eval rule in the CSP. The UI renders incompletely (no data), and the browser console shows “uncaught EvalError” messages.

The only similar issue I found here is https://forum.matomo.org/t/problems-with-tight-csp-policies/28405; however, this thread died with no solution.

I would be grateful for any hint that helps me fixing this. Thanks.

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' ... (couple of (sub)domains following here)".

The failing script is index.php, module Proxy, action getCoreJs:

https://…/index.php?module=Proxy&action=getCoreJs&cb=b479f5931ab033dbda9d313c2ec3b650

fdellwing · September 19, 2018, 9:41am

Just add 'unsafe-eval' after 'unsafe-inline' in your CSP.

christophberger · September 19, 2018, 4:42pm

Thank you for the quick reply Fabian, however, for security reasons this is not an option. There should be a way of running Matomo without having to allow unsafe scripting techniques.

KHJA · July 12, 2023, 8:30am

Hi @christophberger ,

I know that this issue you faced is from quite a while ago, but I’m currently facing the same issue with the same concern you have.

Did you find a solution to implement the Matomo script without changing CSP policies in an unsafe way?

christophberger · July 12, 2023, 9:03am

Hi @KHJA, No, I didn’t. I have stopped using Matomo a while ago.