This page uses the following CSP in Report Only mode to detect foreign elements on the page that were likely injected by an in-app browser:
default-src 'none'; form-action 'none'; frame-ancestors 'none'; navigate-to 'none';
If you are not familiar with CSP, you can read my introductory blog post or any of my wide selection of blog posts on CSP.
This page is for research purposes and was created by Scott Helme. The CSP Reporting is sponsored by Report URI.