Piwik/GA inline script requires CSP "unsafe-inline"

[thomaszbz]

When Content-Security-Policy (CSP) is used (via webserver config) with a http header Content-Security-Policy, then we get a problem with the inline javascripts for Piwik/Google Analytics integration:

To not block the piwik javascript via CSP (in the frontend), the CSP header must be set together with script-src 'unsafe-inline'. This works fine, however is it considered unsafe.

As of TYPO3 6.2, this is not an issue in practice, because the TYPO3 backend is even worse (requires unsafe-eval). But as soon as the backend does not require 'unsafe-inline' any more, we should not require it either in metaseo.

This issue could still be relevant already (as of 6.2) if only the frontend counts (e.g. if the backend is not accessible or CSP-configured separately).

[thomaszbz]

Instead of loading the tracking-code inline (which requires a 'unsafe-inline'), we should offer a separate tracking.js (or put it into the javascript merged by TYPO3 CMS) as suggested in

https://piwik.org/faq/general/faq_20904/

Now that some users might want to still load piwik tracking code inline (because users could leave the page before the tracking.js is loaded), we should make this configurable. That should still work without a CSP header or with an unsafe CSP header.