Task #100903
openEpic #87417: Integrate proper Content Security Policy (CSP) handling
Feature #99499: Introduce Content Security Policy handling
Add Facebook In-App Handler
0%
Description
The Facebook App in mobile devices is using an In-App-Browser Handler which seems to inject JavaScript, spotted on https://indiemusik-festival.de/events/festival-2023
Potential Actions:
- either add handler to allow these requests,
- or add information/analyzer that describes what was going on
Sources:
- https://connect.facebook.net/en_US/pcm.js
- https://connect.facebook.net/en_US/iab.autofill.enhanced.js
CSP Violations:
{"document-uri":"https://indiemusik-festival.de/events/festival-2023/act/aetna","referrer":"https://indiemusik-festival.de/events/festival-2023","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684531784834120","blocked-uri":"https://connect.facebook.net/en_US/pcm.js","status-code":0,"source-file":"https://indiemusik-festival.de/events/festival-2023/act/aetna","line-number":1,"column-number":339}
{"document-uri":"https://indiemusik-festival.de/events/festival-2023","referrer":"https://l.facebook.com/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684427112240721","disposition":"enforce","blocked-uri":"https://connect.facebook.net/en_US/iab.autofill.enhanced.js","line-number":1,"column-number":259,"status-code":200,"script-sample":""}
Meta-Data:
{"addr":"2003:6:53df:b973::","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/20E252 [FBAN/FBIOS;FBDV/iPhone11,8;FBMD/iPhone;FBSN/iOS;FBSV/16.4.1;FBSS/2;FBID/phone;FBLC/de_DE;FBOP/5]"}
{"addr":"2003:d5:8721:f000::","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Instagram 283.0.0.16.103 (iPhone11,2; iOS 16_4_1; de_DE; de-DE; scale=3.00; 1125x2436; 474411477)"}
{"addr":"2003:eb:d747:f4bf::","agent":"Mozilla/5.0 (Linux; Android 12; SM-G973F Build/SP1A.210812.016; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"}
{"addr":"2003:e7:a707:6171::","agent":"Mozilla/5.0 (Linux; Android 10; MAR-LX1A Build/HUAWEIMAR-L21A; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.77 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"}
→ User-Agent containing FB*
indicated the In-App-Browser
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80179
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80179
Updated by Gerrit Code Review about 1 month ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80179