Yes, Matomo can be used with CSP. However, you cannot use the standard tracking code generated by the Tracking Code Generator in the Matomo UI as it is not allowed to use inline scripts when having CSP enabled. CSP is a security concept to prevent cross-site scripting (XSS) attacks as well as related attacks.
Instead make sure to put the tracking code into files like this:
<script src="https://matomo.example.com/matomo.js" async defer></script>
matomo.js should be loaded from your Matomo server and
tracking.js should contain the actual tracking calls like this:
var idSite = 1; var matomoTrackingApiUrl = 'https://matomo.example.com/matomo.php'; var _paq = window._paq = window._paq || ; _paq.push(['setTrackerUrl', matomoTrackingApiUrl]); _paq.push(['setSiteId', idSite]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']);
Make sure to specify the correct
idSite if needed and to replace the Matomo Tracking API URL. You can build this URL by appending
/matomo.php to your Matomo domain.
If you load
matomo.js from a different domain make sure to allow the Matomo domain like this:
An example response header looks like this:
Header set Content-Security-Policy "default-src 'self'; connect-src https://matomo.example.com; script-src 'self' https://matomo.example.com; img-src 'self' https://matomo.example.com; style-src 'self'; frame-ancestors 'self'; frame-src 'self';"
If CSP should work in all browsers you might have to add further headers. At the time of writing this article you might as well need to set
X-WebKit-CSP for Safari and
X-Content-Security-Policy for Internet Explorer support. Read more about Content Security Policy.