Support » Plugin: WP-Matomo (WP-Piwik) » Making the WP-Matomo plugin CSP (Content Security Policy) compatible

  • kysymysteke


    Adding Content Security Policy HTTP header or html meta tags to your website will add another layer of security by protecting the website and it’s visitors from Cross-site scripting (XSS) attacks. Another good reference for CSP is this:

    Example of a CSP HTTP header would be

    add_action('send_headers', 'set_CSP_header');
    add_action('login_init', 'set_CSP_header');
    add_action('admin_init', 'set_CSP_header');
    function set_CSP_header() {
     $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";

    Currently this CSP header does not work with WP-Matomo plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

    To make WP-Matomo CSP compatible, the tracking script would have to be loaded from a separate .js file.

    Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

    • This topic was modified 6 months ago by kysymysteke. Reason: added another reference about CSP
Viewing 1 replies (of 1 total)
  • Plugin Author braekling


    Thanks for your suggestion.

    To be honest, I don’t really get the issue. The tracking code loads the tracking script from a separated JavaScript file.

    Or do you like to move the tracking code into a JS as well? This is not a good idea, because depending on the configuration, the tracking code will set page specific parameters. I guess, for most users this won’t work.

    Anyway, I’ll have a look if I can provide this at least as an optional feature. As a workaround, you can create your own JS file containing your tracking code and load this in your theme’s header, of course. The tracking functionality of WP-Matomo is optional, the statistics can be shown anyway.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.