Piwik Pro Core and CSP 3

Hello,

in order to use Piwik, we were required to modify our CSP rules and allow unsafe-inline for scripts and CSS.

Is there a way to use Piwik Pro Core without needing to allow unsafe inline?
We thought about hashing the loaded codes to verify integrity but dont know if it would be worth it, since after every update it needs to be redone.

Do you have any ideas?

Kind Regards
Peter Dobrovka

Hi @Peter_Dobrovka,

I think one of the following options would help:

Cheers,
Richard

Hi!
I’ve used the solution described here: Content Security Policy (CSP) — Piwik PRO Analytics Suite 16.18 documentation - adding a nonce to the script tag, the async snippet.
This works fine for the snippet added in our code, and your script with url: "//client.containers.piwik.pro/"+id" is rendered, but this also contains some inline javascript which is not compatible to our CSP.

The error is:
“Refused to execute inline script because it violates the following Content Security Policy directive: {our-csp-policy}. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-DgVhUVTQ+TEJ6+ABFhX7YkjWxXlR7W0LMK7iLEU+QrQ=’), or a nonce (‘nonce-…’) is required to enable inline execution.”

It is triggered by the line in bold in the function below:
function(e, t) {
var n = function(e) {
var t = function(t, n) {
e.addEventListener ? e.addEventListener(t, n, !1) : e.attachEvent ? e.attachEvent(“on” + t, n) : e[“on” + t] = n
}
, n = function(t, n) {
e.removeEventListener ? e.removeEventListener(t, n, !1) : e.detachEvent ? e.detachEvent(“on” + t, n) : e[“on” + t] = null
}
, i = function(t) {
var n = t || e.event;
n.cancelBubble = !0,
n.stopPropagation && n.stopPropagation()
}
, r = function(t) {
return e.appendChild(t)
};
return {
bind: t,
unbind: n,
stop: i,
appendChild: r
}
};
n.$inject = [],
e.provider(t, function() {
return n
})
}
How can we pass the nonce to this script? Or can you remove the inline code there?

Regards,
Teodora Colac.