piwik.js can't be loaded due to the CSP (Content Security Policy)

[npXXX]

Hi, sadly chrome refuses to load the piwik.js, because of a violation of the content security policy. On mobile devices, like my Android Phone, there is no such problem and Piwik is tracking the visits without a problem. Just desktop browsers don't work (as long as i can see).

[Alex-Ba]

Hi,

hit the same bug.

Notice: i host nextcloud / owncloud and piwik on the same domain.

first i noticed there is no 'self' in the CSP header so i looked how to fix this issue found some infos in the nextcloud community forums: https://help.nextcloud.com/t/content-security-policy-in-nextcloud/5288/4

tried tweaking the piwik\appinfo\app.php :

 if (array_key_exists('HTTP_HOST', $_SERVER) && $_SERVER['HTTP_HOST'] !== $url) {
      $policy = new OCP\AppFramework\Http\ContentSecurityPolicy ();
      $policy->addAllowedScriptDomain($url);
      $policy->addAllowedImageDomain($url);
      \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
   } else {
      $policy = new OCP\AppFramework\Http\ContentSecurityPolicy ();
      $policy->addAllowedScriptDomain('\'self\'');
      $policy->addAllowedImageDomain('\'self\'');
      \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
   }

unfortunately this doesn't has the desired effect (no self in the CSP Header)

so i ended up with this tweak:

#   if (array_key_exists('HTTP_HOST', $_SERVER) && $_SERVER['HTTP_HOST'] !== $url) {
      $policy = new OCP\AppFramework\Http\ContentSecurityPolicy ();
      $policy->addAllowedScriptDomain($url);
      $policy->addAllowedImageDomain($url);
      \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
#   }

aka commented the HTTP_HOST header check in app.php

maybe someone knows an better solution for this issue :-)

regards Alex

[npXXX]

Hey Alex, thank you! Finally I can track my NextCloud ;) Thanks for sharing your solution!

Regards, Nils

[sualko]

Mh. I think the cleaner solution would be to improve the host/url check. But anyway I am wondering, why self is missing in the csp header...

[smoix]

I also encounter this issue on Nextcloud 11, but the effect depends on the browser...with the default code, tracking works on Safari, IE and Edge but fails with Firefox and Chrome. Modifying the code like Alex-Ba suggests "works" but I'm really not skilled enough to track the root cause and fix anything.

[Xqua]

The problem comes from the parse_url

   $piwik = json_decode(OCP\Config::getAppValue('piwik', 'piwik'));
# Comment out the parse url and add your URL here   
# $url = parse_url($piwik->url, PHP_URL_HOST);
   $url = 'piwik.MY_URL.cc';

#   if (array_key_exists('HTTP_HOST', $_SERVER) && $_SERVER['HTTP_HOST'] !== $url) {
      $policy = new OCP\AppFramework\Http\ContentSecurityPolicy ();
      $policy->addAllowedScriptDomain($url);
      $policy->addAllowedImageDomain($url);
      \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
#   }
}

[sualko]

@Xqua can you explain that in more detail? What is the value of $piwik->url and the corresponding return value of parse_url?

[Xqua]

I did this a while back ... I think it was returning a nil or some sort.

[sualko]

Hope the fix works for you guys.

[Xqua]

I'll try it next week and get back to you !

[ghost]

The errors re-appears in Nextcloud 16.

• PHP7.3
• MariaDB
• Debian 9.9 stretch
• NGINX 1.16 TLSv1.2

All of your mentioned fixes causes the app to change its state from being enabled to disabled. May i ask and please you to re-investigate further? If you are interested in - let me know how to assist you or grant access to my environment.

Cheers, Carsten (https://www.c-rieger.de)

[Xqua]

I gave up on NextCloud, sorry I won't be able to help.

[MinIsMin]

@criegerde #70 should fix it, please let me know if it doesn't.

The addon will be disabled if the app is not marked as compliant (e.g. error in code)

[ghost]

@MinIsMin : Great, it works with #70 Many THANKS!