Task #100903
Updated by Oliver Hader over 1 year ago
The Facebook App in mobile devices is using an In-App-Browser Handler which seems to inject JavaScript. Potential Actions: * either add handler to allow these requests, * or add information/analyzer that describes what was going on Sources: * https://connect.facebook.net/en_US/pcm.js * https://connect.facebook.net/en_US/iab.autofill.enhanced.js CSP Violations: * <code> {"document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023\/act\/aetna","referrer":"https:\/\/indiemusik-festival.de\/events\/festival-2023","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684531784834120","blocked-uri":"https:\/\/connect.facebook.net\/en_US\/pcm.js","status-code":0,"source-file":"https:\/\/indiemusik-festival.de\/events\/festival-2023\/act\/aetna","line-number":1,"column-number":339} </code> * <code> {"document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","referrer":"https:\/\/l.facebook.com\/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684427112240721","disposition":"enforce","blocked-uri":"https:\/\/connect.facebook.net\/en_US\/iab.autofill.enhanced.js","line-number":1,"column-number":259,"status-code":200,"script-sample":""} </code> Meta-Data: * <code> {"addr":"2003:6:53df:b973::","agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/20E252 [FBAN\/FBIOS;FBDV\/iPhone11,8;FBMD\/iPhone;FBSN\/iOS;FBSV\/16.4.1;FBSS\/2;FBID\/phone;FBLC\/de_DE;FBOP\/5]"} </code> * <code> {"addr":"2003:d5:8721:f000::","agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 Instagram 283.0.0.16.103 (iPhone11,2; iOS 16_4_1; de_DE; de-DE; scale=3.00; 1125x2436; 474411477)"} </code> * <code> {"addr":"2003:eb:d747:f4bf::","agent":"Mozilla\/5.0 (Linux; Android 12; SM-G973F Build\/SP1A.210812.016; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/112.0.5615.136 Mobile Safari\/537.36 [FB_IAB\/FB4A;FBAV\/414.0.0.30.113;]"} </code> * <code> {"addr":"2003:e7:a707:6171::","agent":"Mozilla\/5.0 (Linux; Android 10; MAR-LX1A Build\/HUAWEIMAR-L21A; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/113.0.5672.77 Mobile Safari\/537.36 [FB_IAB\/FB4A;FBAV\/414.0.0.30.113;]"} </code> → User-Agent containing @FB*@ indicated the In-App-Browser