Instapy: Content security policy directive: frame-src self
Hey guys-
I will delete this Issue since it is not really an issue more of a question-
I would appreciate an explanation why do I get this report?
"[Report Only] Refused to frame 'https://www.facebook.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".
THANKS @timgrossmann
@uluQulu @sionking @CharlesCCC @converge
You guys are doing SO MUCH for the community THANK YOU!
lostion
All 9 comments
Reports come after
INFO [2018-09-10 10:14:38] [xx] Starting to get the
Followersdata..INFO [2018-09-10 10:42:34] [xx] Starting to unfollow users..
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
lostion
on 10 Sep 2018
I never scrap with my real users.
sionking
on 10 Sep 2018
@lostion actually I have seeming those pops-up on my account as well. @sionking what's your meant by "scrap with my real users" ? I wasn't running the account for scrap. this is the normal Instapy run.
CharlesCCC
on 10 Sep 2018
@CharlesCCC "those pops-up on my account as well"
Do you mean it pop up on your web ? or in console.
And yes instapy do scraping ask @uluQulu if you choose "not following me" for example.
sionking
on 10 Sep 2018
@sionking I meant in the console. sorry about the confusion. I was having very basic configure, like/comment/follow/unfollow.
CharlesCCC
on 10 Sep 2018
Hi all
Welcome @lostion
It has hit my screen too from the start and I had the same guess as @lostion.
The thing is,
- It happens in headless mode
- It happens WITH [after] the
GETweb address navigation method -browser.get()
I got too less time for inspecting it further and I hope somebody will clear this situation.
A few more hints,
- Reading on CSP [Content Security Policy] with the frame keyword will help [AFAIK]
- It is caused by the latest BETA updates in [safety] concept and smells a little bit bitter for future that's why needs to be permanently analyzed [IMHO]
Replies:
@lostion
Your second comment showing like it is related to scraping as @sionking said is a wrong track. See the causes of it above ☝🏼
@CharlesCCC
What @sionking said about scraping is getting data using graphql and e.g. nonFollowers method of unfollow feature uses it to get followers & following data and all of the relationship tools use the same graphql method.
I did not introduce data getting through grapqhl, I think @timgrossmann wrote it? Thanks to the implementor of that great feature 🙋🏼♂️
Anyways, @sionking's intention is "_Using proxy for that part_" or "_Scraping from another account_" and it is a topic of another thread 😄
Cheers 😁
uluQulu
on 11 Sep 2018
Headless mode is detectable.
I have no idea what is CSP, so no help here.
sionking
on 11 Sep 2018
It means somewhere the program running headless is trying to load a page from Facebook.com (or probably Instagram since Facebook owns it) into a <frame> or <iframe> that isn’t frameable.
If a web page response has the header Content-Security-Policy: frame-src ‘self’ set, it means that the only pages that can load that page into frames are pages that originate from the same domain (i.e. other Facebook.com pages). Applications can also do the same thing with the response header X-Frame-Options: sameorigin and this is usually added to protect against web application vulnerabilities like Clickjacking.
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.owasp.org/index.php/Clickjacking
@sionking @uluqulu @lostion
jeremycjang
on 13 Sep 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. > If this problem still occurs, please open a new issue
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 13 Nov 2018
Related issues
neomh
·
3Comments
tibor
·
3Comments
CharlesCCC
·
3Comments
drcyber975
·
3Comments
46960
·
3Comments