nico3333fr / CSP-useful

Collection of scripts, thoughts about CSP (Content Security Policy)
MIT License
487 stars 59 forks source link

Blocked URI : properties #96

Open Facyla opened 1 year ago

Facyla commented 1 year ago

A new one, on which i haven't found any details yet : the "properties" blocked URI. It is linked only with the "connect-src" directive, and applies on legit site URLs (standard pages of the website the CSP apply to).

nico3333fr commented 1 year ago

Would you have an example?

Facyla commented 1 year ago

Sure, here's one of them : apparently this user agent is from a in-app facebook browser

Timestamp 2023-02-16 15:08:53 Blocked URI properties Violated Directive connect-src User agent Mozilla/5.0 (Linux; Android 13; SM-A137F Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/109.0.5414.117 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/401.0.0.24.77;] Status code 200 Disposition enforce Source file https://connect.facebook.net/signals/config/xxxxxxxxxxxxxxx Document URI https://site/produit/PRODUIT/ Referrer https://site/type-de-PRODUIT/TYPE_PRODUIT/ Script sample