This commit introduces several improvements to the Matomo initialization workflow:
- Moves the Matomo reachability check into sys-front-inj-all/tasks/01_dependencies.yml.
- Ensures web-app-matomo is only initialized when the endpoint is unreachable.
- Avoids condition inheritance on include_role by removing block-level when conditions.
- Adds explicit guarding conditions (inj_enabled.matomo, run_once_web_app_matomo usage).
- Ensures Matomo-dependent injections (CSS, Desktop, Logout, CDN) are skipped for Matomo itself.
- Fixes incorrect status_code format (now using YAML list format).
- Moves utils/run_once.yml to the top of 01_core.yml to prevent recursive re-invocation of web-app-matomo.
- Cleans Matomo config/main.yml feature definitions and clarifies which features are disabled during initial bootstrap.
- Removes legacy global Matomo bootstrap from 02_server.yml, centralizing logic in sys-front-inj-all.
- Fixes typo in inj_enabled task name.
This results in a robust, idempotent, recursion-safe Matomo bootstrap sequence that works across all injected web domains.
- Add CSP3 support for style/script: include -elem and -attr directives
- Base (style-src, script-src) now unions elem/attr (CSP2/Safari fallback)
- Respect explicit base disables (e.g. style-src.unsafe-inline: false)
- Hashes only when 'unsafe-inline' absent in the final base tokens
- Nginx: set CSP only for HTML/worker via header_filter_by_lua_block; drop for subresources
- Remove per-location header_filter; keep body_filter only
- Update app role flags to *-attr where appropriate; extend desktop CSS sources
- Add comprehensive unit tests for union/explicit-disable/no-mirror-back
Ref: https://chatgpt.com/share/68f87a0a-cebc-800f-bb3e-8c8ab4dee8ee
