diff --git a/Block/Matomo.php b/Block/Matomo.php index b632930..79ea004 100644 --- a/Block/Matomo.php +++ b/Block/Matomo.php @@ -49,6 +49,8 @@ class Matomo extends \Magento\Framework\View\Element\Template */ protected $_dataHelper = null; + protected \Magento\Csp\Helper\CspNonceProvider $_cspNonceProvider; + /** * Constructor * @@ -56,6 +58,7 @@ class Matomo extends \Magento\Framework\View\Element\Template * @param \Magento\Framework\Json\EncoderInterface $jsonEncoder * @param \Chessio\Matomo\Model\Tracker $tracker * @param \Chessio\Matomo\Helper\Data $dataHelper + * @param \Magento\Csp\Helper\CspNonceProvider $cspNonceProvider * @param array $data */ public function __construct( @@ -63,11 +66,13 @@ public function __construct( \Magento\Framework\Json\EncoderInterface $jsonEncoder, \Chessio\Matomo\Model\Tracker $tracker, \Chessio\Matomo\Helper\Data $dataHelper, + \Magento\Csp\Helper\CspNonceProvider $cspNonceProvider, array $data = [] ) { $this->_jsonEncoder = $jsonEncoder; $this->_tracker = $tracker; $this->_dataHelper = $dataHelper; + $this->_cspNonceProvider = $cspNonceProvider; parent::__construct($context, $data); } @@ -116,7 +121,8 @@ public function getJsOptions() 'scriptUrl' => $this->getScriptUrl(), 'trackerUrl' => $this->getTrackerUrl(), 'siteId' => $this->getSiteId(), - 'actions' => $this->getTracker()->toArray() + 'actions' => $this->getTracker()->toArray(), + 'nonce' => $this->_cspNonceProvider->generateNonce(), ]; } diff --git a/view/frontend/templates/matomo.phtml b/view/frontend/templates/matomo.phtml index fa39888..3242c17 100644 --- a/view/frontend/templates/matomo.phtml +++ b/view/frontend/templates/matomo.phtml @@ -19,8 +19,10 @@ * along with Chessio_Matomo. If not, see . */ +/** @var \Chessio\Matomo\Block\Matomo $block */ +/** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */ ?> - + renderTag('script', ['src' => $block->getScriptUrl()]); + // The following script can be omitted in which case the // `Chessio_Matomo/js/tracker' component will inject the tracker script instead. // However that might cause the tracker script to miss the `DOMContentLoaded' // event which breaks the link tracking feature. -?> - -renderTag('script', [], $scriptString, false); + // The following script is a workaround that prevents the checkout loader // overlay from spinning indefinitely in cases where a browser plugin such as // AdBlock stops the tracker JS component from loading. The loader indicator @@ -56,8 +62,8 @@ // export a mocked version of the component if we get an `errback' from require. // @see vendor/magento/module-checkout/view/frontend/web/js/checkout-loader.js // @see lib/web/mage/requirejs/resolver.js -?> - +script; +echo $secureRenderer->renderTag('script', [], $scriptString, false); +?>