We started using Content Security Policy (CSP) on our website and I noticed that many users violates CSP rules through webviewprogressproxy URLs. In such cases I receive the following report from CSP:
{"csp-report":{
"document-uri":"http://example.com/en/booking/b2",
"referrer":"http://example.com/en/booking/b1/nnn",
"violated-directive":"default-src 'self'",
"original-policy":"default-src 'self'; font-src data: 'self'; img-src 'self' www.google-analytics.com data: s3.amazonaws.com; script-src 'self' www.google-analytics.com; report-uri /cspreport",
"blocked-uri":"webviewprogressproxy://",
"source-file":"http://example.com/en/booking/b2",
"line-number":1
}}
User-Agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B440 [FBAN/MessengerForiOS;FBAV/28.1.0.50.260;FBBV/10708012;FBDV/iPhone7,2;FBMD/iPhone;FBSN/iPhone OS;FBSV/8.1.2;FBSS/2; FBCR/giffgaff;FBID/phone;FBLC/en_US;FBOP/5]
As you can see, there is some URL with webviewprogressproxy protocol. However, we don't use this protocol and when we look at the User-Agent, it seems that some Facebook application on iOS causes this error, but I'm not sure about this.
Do anyone know what causes this kind of error and how we can avoid this?