Can I use Piwik PRO with Content Security Policy?
Yes, Piwik PRO Analytics can be used with Content Security Policy. Yet, you can’t use the standard tracking code generated by the Tracking Code Generator in the Piwik PRO UI as it is not allowed to use inline scripts when having CSP enabled. CSP is a security concept to prevent cross-site scripting (XSS) attacks as well as related attacks.
Specifying Content Security Policy is a common way to secure web applications. This mechanism allows specifying which scripts and styles can execute on the page. It can be done either by adding a Content-Security-Policy header or an appropriate meta tag. It is common to allow only scripts and styles that were received from known domains or ones that have a special nonce attribute. Right now, unfortunately, it doesn’t work for synchronous tags (changing it is in progress). It may not work for the template tags so we are suggesting using custom tags with CSP.