@mchandelier opened this Issue on May 19th 2017

Hi,
I've setted up Piwik like you suggest in you FAQ. However, to be able to use it, I have to allow script-src 'unsafe-inline', which I don't want.

Will you make an enhancement to avoid this?

@godofdream commented on May 20th 2017

you could use 'nonce-myrandomstring' or move the snippet into an external js file

@mchandelier commented on May 22nd 2017

My piwik.js file is on my server and the snippet is already in an external file. I've tried to add the nonce on it but I still have the issue.

@mattab commented on June 21st 2017 Owner

Hi @mchandelier do you confirm that our instructions at https://piwik.org/faq/general/faq_20904/ are outdated and that it doesn't just work?

@mchandelier commented on June 21st 2017

Hi @mattab,
It doesn't work for me. The only exception I have from the FAQ is that piwik.js is loaded from the same domain. I may do something wrong but I really don't see what.

@mattab commented on June 22nd 2017 Owner

Ok we will investigate in the next few weeks.

If anyone knows about CSP feel free to take a look (Pull request welcome!).

@mbarbey commented on August 15th 2017

Hi @mattab,
Did you have some news for this problem ?

I am using the piwik script in an external file too to prevent having any inline js code in my pages, and I am encountering the same problem as @mchandelier.

Do you have an idea why the piwik script, which is embedded in an external script, require using script-src 'unsafe-inline' ?

Powered by GitHub Issue Mirror