I have a site. Site is used by users. I set the following Content Security Policy:
Content-Security-Policy: default-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;
img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'
www.google.com www.gstatic.com; connect-src 'self'; frame-src www.google.com; media-src 'self';
child-src 'none'; manifest-src 'self'; script-src-elem 'self' 'unsafe-
inline' www.gstatic.com www.google.com; report-uri https://my-site.com/policy-report;
My site has nothing to do with Facebook. I don't have any integrations with it, such as API/Authentication etc. Zero.
As soon as I deployed this Policy, I started receiving reports about violations. They're coming from people's mobile devices (iPhones and Andriods)
Here's some of them:
[blocked-uri] => https://connect.facebook.net
[violated-directive] => script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.gstatic.com
[blockedURI] => https://www.facebook.com/common/scribe_endpoint.php?c=iab_autofill_js_detection&....(and many more url parameters)
[violatedDirective] => img-src
[blockedURI] => https://www.facebook.com/common/scribe_endpoint.php?c=iab_autofill_js_event&m=%7B%22event%22%3A%22FIRST_FORM_INTERACTION%22%7D
[violatedDirective] => img-src
Can anyone please shed some light on this? The question is what is Facebook doing in people's phone's browsers on my site? Is it some kind of browser extension (data mining spyware) that affects every site user visits? If yes, which one?
The reason I need to know is I want to test this behavior myself, to make sure my users don't see any weird blocked Facebook's content on my site.
Thank you
