matomo-org / matomo-nginx

Nginx configuration for running Matomo
408 stars 121 forks source link

Default configuration makes dashboard unusable #71

Open filipecatraia opened 2 years ago

filipecatraia commented 2 years ago
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

That's with the conf from this repo and no other changes, on a fresh install of Matomo :)

A CSP is required in some of the blocks:

add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; base-uri 'self'; frame-src 'self'; object-src 'self'";

Another issue I see is that manifest.json is also 403'd by default with the configuration in this repo.