Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
We got reports from users that the nonce value that was introduced in 1.4.3 is not changing dynamically like it should. I think it is now getting cached, as the nonce will change when caches are cleared.
Some changes might be needed in how the nonce is added to the pages.
Steps to reproduce
- Enable CSP nonce support in Piwik PRO module settings and inspect the source of some pages in your site.
- The nonce value within the code snippet stays the same on every page request.
Proposed resolution
We should probably use the nonce builder service that was added in CSP module 2.x branch. And instead of injecting the nonce inside the script, we should use a placeholder which gets replaced later.
Remaining tasks
- Change the used service from nonce to nonce builder.
- Use placeholder value as the nonce instead of direct value
Issue fork piwik_pro-3574747
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
hartsak commentedIn addition, another bug comes up when using the library mode and piwik_pro_snippet.js file is used.
It now uses the nonce value from Piwik PRO and not from the CSP module:
const nonce = drupalSettings.piwik_pro.nonce || null;That could probably be changed to:
const nonce = drupalSettings.csp.nonce || null;Comment #4
hartsak commentedI added some refactoring there. Maybe someone could take a look?
Comment #5
hartsak commentedThere were some errors in the tests previously.
I added csp module as a test dependency and now it seems the tests are passed.
Comment #6
joonaskokko commentedLooks good! 👍
Comment #7
hartsak commentedThanks @joonaskokko!
Comment #9
hartsak commentedI'll move this to fixed.