search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.71k stars 2.62k forks source link

[Bug] Critical Firefox Bug Affecting Matomo #22529

Closed Chardonneaur closed 3 weeks ago

Chardonneaur commented 1 month ago

What happened?

Whitespace https://whitespace.se/ identified a critical bug affecting many Matomo installations, as well as other web analytics services. The issue specifically impacts newer versions of the Firefox browser, preventing it from calling Matomo for logging page views and other activities. As a result, web statistics are not collected from users visiting websites with Matomo via Firefox.

The bug was traced back to specific web server configurations, particularly involving the x-content-type-options: nosniff HTTP header. When this header was enabled and the server returned an empty response with a 200 OK status code, Firefox failed to load the required Matomo resource. This issue did not occur with other web browsers.

To address this, Whitespace suggested two potential solutions: either set an explicit Content-Type for empty responses or remove the nosniff header in certain situations. These measures aim to ensure that Firefox can successfully log data with Matomo, restoring accurate web analytics functionality.

What should happen?

Ideally, when users visit a website using Matomo for analytics via Firefox, the browser should successfully call the matomo.php file to log page views and other activities. This ensures that web statistics are accurately collected for all users, regardless of the browser they are using.

For this to happen:

Matomo should be compatible with all major browsers, including newer versions of Firefox, ensuring that data collection and analytics functionalities work seamlessly.

The web server configurations should be correctly set up to allow the necessary files to load. This includes ensuring that HTTP headers like x-content-type-options: nosniff do not interfere with the loading of required resources.

When a response is returned by the server, it should be correctly configured, possibly by setting an explicit Content-Type even for empty responses, to avoid any errors in the browser. Removing or modifying headers that might block resource loading, like the nosniff header, in specific contexts, would ensure Firefox can successfully log analytics data.

By implementing these best practices and configurations, Matomo can provide accurate and reliable analytics data across all web browsers, including Firefox.

How can this be reproduced?

To reproduce the issue where Firefox fails to load the matomo.php file, follow these steps:

Set Up a Test Environment: Ensure you have a web server with Matomo installed and configured correctly. Make sure the server is configured to serve web analytics using Matomo.

Configure the Web Server: Modify the server settings to include the HTTP header x-content-type-options: nosniff. Ensure that when certain resources (such as matomo.php) are requested, the server returns an empty response with a 200 OK status code. This configuration can often be done by modifying the server’s configuration files (e.g., Apache’s .htaccess file or Nginx’s configuration) to include the nosniff header.

Use a Newer Version of Firefox: Open a newer version of the Firefox browser (ensure it's updated to a recent release). Clear the browser cache to make sure the test isn't affected by cached responses.

Visit a Website that Uses Matomo: Navigate to a website that has Matomo tracking enabled and uses the server configuration mentioned above. You can set up a test webpage on your server or use an existing one known to use Matomo with the specified configuration.

Inspect the Browser Console: Open Firefox's Developer Tools (usually accessible via Ctrl+Shift+I or Cmd+Option+I on Mac). Go to the "Console" tab and look for error messages related to matomo.php. You should see an error message like NS_ERROR_FAILURE, indicating that Firefox failed to load the resource.

Check Matomo Analytics: Log in to the Matomo dashboard and check if any page views or activity data were recorded for the visits made from Firefox. If the issue is present, no statistics will be collected for users visiting via Firefox.

By following these steps, you should be able to reproduce the issue where Firefox fails to collect analytics data due to the nosniff header and the server returning an empty 200 OK response. This helps in verifying the existence of the bug and testing potential solutions.

Matomo version

?

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

No response

Computer operating system

No response

Relevant log output

No response

Validations

mikkeschiren commented 3 weeks ago

My five cents:

colin-campbell commented 3 weeks ago

RFC-7231 https://www.rfc-editor.org/rfc/rfc7231#section-3.1.1.5

A sender that generates a message containing a payload body SHOULD generate a Content-Type header field in that message.

It doesn't say anything about setting a content-type when there is no payload. However I wonder if we are returning Content-Length explicitly to 0 for an empty response, and if that would make a difference?

mikkeschiren commented 3 weeks ago

The Content-Length is 0.

mikkeschiren commented 3 weeks ago

This issue should be closed I think. The issue reported by Whitespace - they have updated their blog post @Chardonneaur with more information.

Chardonneaur commented 3 weeks ago

https://whitespace.se/blogg/kritisk-firefox-bugg-som-paverkar-matomo-och-piwik-pro/