June 6, 2018
Yes, Piwik PRO Analytics module can be used with CSP. Yet, you can’t use the standard tracking code generated by the Tracking Code Generator in the Piwik PRO UI as it is not allowed to use inline scripts when having CSP enabled. CSP is a security concept to prevent cross-site scripting (XSS) attacks as well as related attacks.
Specifying Content Security Policy is a common way to secure web applications. This mechanism allows specifying which scripts and styles can execute on the page. It can be done either by adding Content-Security-Policy header or appropriate meta tag. It is common to allow only scripts and styles that were received from known domains or ones that have a special nonce attribute. Right now it, unfortunately, doesn’t work for synchronous tags (changing it is in progress). It may not work for the template tags so we are suggesting using custom tags with CSP.