Content Security Policy (CSP) issue

I followed the install async from

	<script nonce="tzT4D_jxELBN94UD4ta9FyHD" type="text/javascript">/*<![CDATA[*/ 
(function(window, document, dataLayerName, id) {
window[dataLayerName]=window[dataLayerName]||[],window[dataLayerName].push({start:(new Date).getTime(),event:"stg.start"});var scripts=document.getElementsByTagName('script')[0],tags=document.createElement('script');
function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d="; expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"}
var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug");stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1);
var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),isStgDebug&&qP.push("stg_debug");var qPString=qP.length>0?("?"+qP.join("&")):"";
tags.async=!0,tags.src="https://CLIENT.containers.piwik.pro/"+id+".js"+qPString,scripts.parentNode.insertBefore(tags,scripts);
!function(a,n,i){a[n]=a[n]||{};for(var c=0;c<i.length;c++)!function(i){a[n][i]=a[n][i]||{},a[n][i].api=a[n][i].api||function(){var a=[].slice.call(arguments,0);"string"==typeof a[0]&&window[dataLayerName].push({event:n+"."+i+":"+a[0],parameters:[].slice.call(arguments,1)})}}(i[c])}(window,"ppms",["tm","cm"]);
})(window, document, 'dataLayer', 'IDDDD');
 /*]]>*/</script>

I noticed the javascript tag being inserted by this code not having a nonce value

 <script async="" src="https://CLIENT.containers.piwik.pro/IDDDD.js"></script>

and the CSP setup from

my CSP header (formatted for easy reading):

default-src 'self';
script-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro 'nonce-NONCEVALUE';
style-src 'self' 'unsafe-inline' CLIENT.containers.piwik.pro CLIENT.piwik.pro;
img-src 'self' data: CLIENT.containers.piwik.pro CLIENT.piwik.pro;
connect-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro;
font-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro

and I get multiple javascript errors (in each browser) like this:

IDDDD.js:8 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ugent.containers.piwik.pro ugent.piwik.pro 'nonce-NONCEVALUE'". Either the 'unsafe-inline' keyword, a hash ('sha256-nxo4EskUoTDeZxPZmw/HiB5b6h9wdgxpDuYxXVQ9iPQ='), or a nonce ('nonce-...') is required to enable inline execution.
|renderScriptElement|@|IDDDD.js:8|
|---|---|---|
|renderNode|@|IDDDD.js:8|
|render|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|consume|@|IDDDD.js:8|
|consume|@|IDDDD.js:8|
|processEventsPushedBeforeOverride|@|IDDDD.js:8|
|override|@|IDDDD.js:8|
|init|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|

it used to work but starting from around 12 october 2022, stats collection dropped to zero

Hi. Could you share website URL?

the production url is

but the setup is different, I’ve tried a lot of things and the most lean setup is the one I’ve posted above and is running on my machine

Thanks for the report. The issue is on our and and should be fixed early next week, most likely on Monday.

issue has been resolved by Piwik

1 Like

Thanks for confirming!