Making the WP-Matomo plugin CSP (Content Security Policy) compatible

  • Adding Content Security Policy HTTP header or html meta tags to your website will add another layer of security by protecting the website and it’s visitors from Cross-site scripting (XSS) attacks. Another good reference for CSP is this: https://content-security-policy.com/.

    Example of a CSP HTTP header would be 

    <?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.my-own-matomo-analytics-website.com; connect-src 'self'; img-src 'self' www.my-own-matomo-analytics-website.com; style-src 'self';";
 header($CSP);
}
?>

    Currently this CSP header does not work with WP-Matomo plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

    To make WP-Matomo CSP compatible, the tracking script would have to be loaded from a separate .js file.

    Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

    • This topic was modified 5 years, 4 months ago by kysymysteke. Reason: added another reference about CSP
Viewing 1 replies (of 1 total)
  • Plugin Author braekling

    (@braekling)

    Thanks for your suggestion.

    To be honest, I don’t really get the issue. The tracking code loads the tracking script from a separated JavaScript file.

    Or do you like to move the tracking code into a JS as well? This is not a good idea, because depending on the configuration, the tracking code will set page specific parameters. I guess, for most users this won’t work.

    Anyway, I’ll have a look if I can provide this at least as an optional feature. As a workaround, you can create your own JS file containing your tracking code and load this in your theme’s header, of course. The tracking functionality of WP-Matomo is optional, the statistics can be shown anyway.

Viewing 1 replies (of 1 total)
  • The topic ‘Making the WP-Matomo plugin CSP (Content Security Policy) compatible’ is closed to new replies.