Task #100903
Updated by Oliver Hader over 1 year ago
The Facebook App in mobile devices is using an In-App-Browser Handler which seems to inject JavaScript, spotted on https://indiemusik-festival.de/events/festival-2023 Potential Actions: * either add handler to allow these requests, * or add information/analyzer that describes what was going on Sources: * https://connect.facebook.net/en_US/pcm.js * https://connect.facebook.net/en_US/iab.autofill.enhanced.js CSP Violations: * <code> {"document-uri":"https://indiemusik-festival.de/events/festival-2023/act/aetna","referrer":"https://indiemusik-festival.de/events/festival-2023","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src {"document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023\/act\/aetna","referrer":"https:\/\/indiemusik-festival.de\/events\/festival-2023","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-MPX1bdMnopM_utJ_FmTCFFHZ9KHhyCmdRfse0-UqvO4QjSq5g6wn7A' https://analytics.in-die-musik.de https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; https:\/\/cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684531784834120","blocked-uri":"https://connect.facebook.net/en_US/pcm.js","status-code":0,"source-file":"https://indiemusik-festival.de/events/festival-2023/act/aetna","line-number":1,"column-number":339} https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684531784834120","blocked-uri":"https:\/\/connect.facebook.net\/en_US\/pcm.js","status-code":0,"source-file":"https:\/\/indiemusik-festival.de\/events\/festival-2023\/act\/aetna","line-number":1,"column-number":339} </code> * <code> {"document-uri":"https://indiemusik-festival.de/events/festival-2023","referrer":"https://l.facebook.com/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src {"document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","referrer":"https:\/\/l.facebook.com\/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com https://instagram.com https://*.instagram.com; https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' *.ytimg.com *.vimeocdn.com data: https://instagram.com https://*.instagram.com; https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; connect-src 'self' https://analytics.in-die-musik.de; https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-EC5M1XDTyK9jsgUvmXkk5NgpMA9SWP0Y9tfQ4vbQoOiIXgyNXn10zg' https://analytics.in-die-musik.de https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https://cloud.in-die-musik.de; https:\/\/cloud.in-die-musik.de; report-uri https://indiemusik-festival.de/@http-reporting?csp=report&requestTime=1684427112240721","disposition":"enforce","blocked-uri":"https://connect.facebook.net/en_US/iab.autofill.enhanced.js","line-number":1,"column-number":259,"status-code":200,"script-sample":""} https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684427112240721","disposition":"enforce","blocked-uri":"https:\/\/connect.facebook.net\/en_US\/iab.autofill.enhanced.js","line-number":1,"column-number":259,"status-code":200,"script-sample":""} </code> Meta-Data: * <code> {"addr":"2003:6:53df:b973::","agent":"Mozilla/5.0 {"addr":"2003:6:53df:b973::","agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile/20E252 [FBAN/FBIOS;FBDV/iPhone11,8;FBMD/iPhone;FBSN/iOS;FBSV/16.4.1;FBSS/2;FBID/phone;FBLC/de_DE;FBOP/5]"} Mobile\/20E252 [FBAN\/FBIOS;FBDV\/iPhone11,8;FBMD\/iPhone;FBSN\/iOS;FBSV\/16.4.1;FBSS\/2;FBID\/phone;FBLC\/de_DE;FBOP\/5]"} </code> * <code> {"addr":"2003:d5:8721:f000::","agent":"Mozilla/5.0 {"addr":"2003:d5:8721:f000::","agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 16_4_1 like Mac OS X) AppleWebKit/605.1.15 AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile/15E148 Mobile\/15E148 Instagram 283.0.0.16.103 (iPhone11,2; iOS 16_4_1; de_DE; de-DE; scale=3.00; 1125x2436; 474411477)"} </code> * <code> {"addr":"2003:eb:d747:f4bf::","agent":"Mozilla/5.0 {"addr":"2003:eb:d747:f4bf::","agent":"Mozilla\/5.0 (Linux; Android 12; SM-G973F Build/SP1A.210812.016; Build\/SP1A.210812.016; wv) AppleWebKit/537.36 AppleWebKit\/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Version\/4.0 Chrome\/112.0.5615.136 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"} Safari\/537.36 [FB_IAB\/FB4A;FBAV\/414.0.0.30.113;]"} </code> * <code> {"addr":"2003:e7:a707:6171::","agent":"Mozilla/5.0 {"addr":"2003:e7:a707:6171::","agent":"Mozilla\/5.0 (Linux; Android 10; MAR-LX1A Build/HUAWEIMAR-L21A; Build\/HUAWEIMAR-L21A; wv) AppleWebKit/537.36 AppleWebKit\/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.77 Version\/4.0 Chrome\/113.0.5672.77 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/414.0.0.30.113;]"} Safari\/537.36 [FB_IAB\/FB4A;FBAV\/414.0.0.30.113;]"} </code> → User-Agent containing @FB*@ indicated the In-App-Browser