Content Security Policy

  • barthat

    (@barthat)


    11 years, 9 months ago

    First of all, thanks for a great plugin.

    I am using Content-Security-Policy-Report-Only ( http://www.w3.org/TR/CSP11/ ) on my site which uses Piwik 2.5 and WP-Piwik and I get violations flagged in the Chrome Console Panel for the inlined Piwik tracking script.

    <!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u=(("https:" == document.location.protocol) ? "https" : "http") + "://www.mypiwik.mydomain.com/";
    _paq.push(['setTrackerUrl', u+'js/']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript';
    g.defer=true; g.async=true; g.src=u+'js/'; s.parentNode.insertBefore(g,s);
  })();
</script>
<!-- End Piwik Code -->

    Here is my htaccess rule…

    Header set Content-Security-Policy-Report-Only "default-src 'none'; \
style-src 'self'; \
font-src 'self'; \
img-src 'self' http://www.mypiwik.mydomain.com; \
script-src 'self' http://www.mypiwik.mydomain.com ajax.googleapis.com"

    I believe that the violation can be removed in a few ways – adding a hash, nonce, or loading the script from a file in a approved (in the CSP rule) domain. (‘unsafe-inline’ is not a safe option).

    Is there anything you can do in WP-Piwik to remove these violations.

    https://ww.wp.xz.cn/plugins/wp-piwik/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author braekling

    (@braekling)

    11 years, 9 months ago

    Can you tell me what these violations are about?

    Can you tell me how to change the tracking code to work with your environment?

    If you have questions about the tracking code itself and your CSP-environment, you should ask the Piwik community: http://www.piwik.org

    Thread Starter barthat

    (@barthat)

    11 years, 9 months ago

    The idea behind CSP is to prevent content injection attacks such as XSS. I think it will become more important for security concious web sites to implement as the main stream browsers now support it.

    I get two inline violations in relation to Piwik

    1) script-src related
    – I don’t know how your plugin inserts the tracking code, but the end result is inline script which is not allowed with Content-Security-Policy (without unsafe-eval which defeats the whole purpose) (see http://www.w3.org/TR/CSP11/#directive-script-src )

    2) style-src related
    For Piwik users that use the image tracking method there is also inline style violation

    <noscript><p><img src="http://www.mypiwik.mydomain.com/js/?idsite=1" style="border:0;" alt="" /></p></noscript>

    For further background http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful

    I am not a developer but I see three options to fix the violations

    1) load the relevant code using src= from a location which can be white listed in the script-src source-list e.g. the piwik install domain or the website domain.

    2) add a nonce http://www.w3.org/TR/CSP11/#script-src-nonce-usage to the inlined script

    3) add a hash http://www.w3.org/TR/CSP11/#script-src-hash-usage to the inlined script

    I imagine option 1 is the easiest but then again I am not a developer. 🙂

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Content Security Policy’ is closed to new replies.