Content Security Policy (CSP) issue

Data collection and tags
1

I followed the install async from

	<script nonce="tzT4D_jxELBN94UD4ta9FyHD" type="text/javascript">/*<![CDATA[*/ 
(function(window, document, dataLayerName, id) {
window[dataLayerName]=window[dataLayerName]||[],window[dataLayerName].push({start:(new Date).getTime(),event:"stg.start"});var scripts=document.getElementsByTagName('script')[0],tags=document.createElement('script');
function stgCreateCookie(a,b,c){var d="";if(c){var e=new Date;e.setTime(e.getTime()+24*c*60*60*1e3),d="; expires="+e.toUTCString()}document.cookie=a+"="+b+d+"; path=/"}
var isStgDebug=(window.location.href.match("stg_debug")||document.cookie.match("stg_debug"))&&!window.location.href.match("stg_disable_debug");stgCreateCookie("stg_debug",isStgDebug?1:"",isStgDebug?14:-1);
var qP=[];dataLayerName!=="dataLayer"&&qP.push("data_layer_name="+dataLayerName),isStgDebug&&qP.push("stg_debug");var qPString=qP.length>0?("?"+qP.join("&")):"";
tags.async=!0,tags.src="https://CLIENT.containers.piwik.pro/"+id+".js"+qPString,scripts.parentNode.insertBefore(tags,scripts);
!function(a,n,i){a[n]=a[n]||{};for(var c=0;c<i.length;c++)!function(i){a[n][i]=a[n][i]||{},a[n][i].api=a[n][i].api||function(){var a=[].slice.call(arguments,0);"string"==typeof a[0]&&window[dataLayerName].push({event:n+"."+i+":"+a[0],parameters:[].slice.call(arguments,1)})}}(i[c])}(window,"ppms",["tm","cm"]);
})(window, document, 'dataLayer', 'IDDDD');
 /*]]>*/</script>

I noticed the javascript tag being inserted by this code not having a nonce value

 <script async="" src="https://CLIENT.containers.piwik.pro/IDDDD.js"></script>

and the CSP setup from

my CSP header (formatted for easy reading):

default-src 'self';
script-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro 'nonce-NONCEVALUE';
style-src 'self' 'unsafe-inline' CLIENT.containers.piwik.pro CLIENT.piwik.pro;
img-src 'self' data: CLIENT.containers.piwik.pro CLIENT.piwik.pro;
connect-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro;
font-src 'self' CLIENT.containers.piwik.pro CLIENT.piwik.pro

and I get multiple javascript errors (in each browser) like this:

IDDDD.js:8 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ugent.containers.piwik.pro ugent.piwik.pro 'nonce-NONCEVALUE'". Either the 'unsafe-inline' keyword, a hash ('sha256-nxo4EskUoTDeZxPZmw/HiB5b6h9wdgxpDuYxXVQ9iPQ='), or a nonce ('nonce-...') is required to enable inline execution.
|renderScriptElement|@|IDDDD.js:8|
|---|---|---|
|renderNode|@|IDDDD.js:8|
|render|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|consume|@|IDDDD.js:8|
|consume|@|IDDDD.js:8|
|processEventsPushedBeforeOverride|@|IDDDD.js:8|
|override|@|IDDDD.js:8|
|init|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|
|(anonymous)|@|IDDDD.js:8|

it used to work but starting from around 12 october 2022, stats collection dropped to zero

2

Hi. Could you share website URL?

3

the production url is

but the setup is different, I’ve tried a lot of things and the most lean setup is the one I’ve posted above and is running on my machine

4

Thanks for the report. The issue is on our and and should be fixed early next week, most likely on Monday.

5

issue has been resolved by Piwik

1 Like
6

Thanks for confirming!

7

A post was split to a new topic: Problem with CSP