Project

General

Profile

Actions
Copy link

Task #100903

open

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Feature #99499: Introduce Content Security Policy handling

Add Facebook In-App Handler

Added by Oliver Hader 11 months ago. Updated 9 months ago.

Status:
Under Review
Priority:
Should have
Assignee:
Oliver Hader
Category:
Security
Target version:
-
Start date:
2023-05-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The Facebook App in mobile devices is using an In-App-Browser Handler which seems to inject JavaScript, spotted on https://indiemusik-festival.de/events/festival-2023

Potential Actions:

  • either add handler to allow these requests,
  • or add information/analyzer that describes what was going on

Sources:

CSP Violations:

  • {"document-uri":"https://indiemusik-festival.de/events/festival-2023/act/aetna","referrer":"https://indiemusik-festival.de/events/festival-2023","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684531784834120","blocked-uri":"https://connect.facebook.net/en_US/pcm.js","status-code":0,"source-file":"https://indiemusik-festival.de/events/festival-2023/act/aetna","line-number":1,"column-number":339}
  • {"document-uri":"https://indiemusik-festival.de/events/festival-2023","referrer":"https://l.facebook.com/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; default-src 'self'; script-src 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; script-src-elem 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' https://analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684427112240721","disposition":"enforce","blocked-uri":"https://connect.facebook.net/en_US/iab.autofill.enhanced.js","line-number":1,"column-number":259,"status-code":200,"script-sample":""}

Meta-Data:

  • {"addr":"2003:6:53df:b973::","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/20E252 [FBAN/FBIOS;FBDV/iPhone11,8;FBMD/iPhone;FBSN/iOS;FBSV/16.4.1;FBSS/2;FBID/phone;FBLC/de_DE;FBOP/5]"}
  • {"addr":"2003:d5:8721:f000::","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Instagram 283.0.0.16.103 (iPhone11,2; iOS 16_4_1; de_DE; de-DE; scale=3.00; 1125x2436; 474411477)"}
  • {"addr":"2003:eb:d747:f4bf::","agent":"Mozilla/5.0 (Linux; Android 12; SM-G973F Build/SP1A.210812.016; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"}
  • {"addr":"2003:e7:a707:6171::","agent":"Mozilla/5.0 (Linux; Android 10; MAR-LX1A Build/HUAWEIMAR-L21A; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.77 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"}

→ User-Agent containing FB* indicated the In-App-Browser

Actions
Copy link
 #1

Updated by Oliver Hader 11 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Oliver Hader 11 months ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Oliver Hader 11 months ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by Oliver Hader 11 months ago

  • Description updated (diff)
Actions
Copy link
 #5

Updated by Oliver Hader 11 months ago

  • Description updated (diff)
Actions
Copy link
 #6

Updated by Gerrit Code Review 9 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80179

Actions
Copy link
 #7

Updated by Gerrit Code Review 9 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/80179

Actions
Copy link

Also available in: Atom PDF