We started using the Content Security Policy (CSP) on our website, and I noticed that many users violate CSP rules through the webviewprogressproxy URLs. In such cases, I get the following report from CSP:
{"csp-report":{ "document-uri":"http://example.com/en/booking/b2", "referrer":"http://example.com/en/booking/b1/nnn", "violated-directive":"default-src 'self'", "original-policy":"default-src 'self'; font-src data: 'self'; img-src 'self' www.google-analytics.com data: s3.amazonaws.com; script-src 'self' www.google-analytics.com; report-uri /cspreport", "blocked-uri":"webviewprogressproxy://", "source-file":"http://example.com/en/booking/b2", "line-number":1 }} User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B440 [FBAN/MessengerForiOS;FBAV/28.1.0.50.260;FBBV/10708012;FBDV/iPhone7,2;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.1.2;FBSS/2; FBCR/giffgaff;FBID/phone;FBLC/en_US;FBOP/5]
As you can see, there is a URL with the webviewprogressproxy protocol. However, we do not use this protocol, and when we look at the User-Agent, it seems that some Facebook application on iOS is causing this error, but I'm not sure about that.
Does anyone know what causes this error, and how can we avoid this?
uiwebview content-security-policy
user1613797
source share