This has been going on for at least some months on our servers and I'm wondering what's responsible for it. A browser add-on? Trojan? From different users (including logged in members), at different times, we get requests for the current page where the last part is replaced by 6_S3_

Some examples from the logs:

 REQUEST[/pt/collectors/collector/6_S3_] REFERER[http://colnect.com/pt/collectors/collector/ciccamozzo]

 REQUEST[/it/stamps/6_S3_] REFERER[http://colnect.com/it/stamps/countries]

REQUEST[/hu/account/6_S3_] REFERER[http://colnect.com/hu/account/my_lists]

REQUEST[/pl/coins/6_S3_] REFERER[http://colnect.com/pl/coins/countries]

Tried to search it on the Internet and have come up with nothing, hence this question. Thanks

Regardless of the server you use this HTTP header solves the OP's problem and also provides additional security against XSS attacks:

Content-Security-Policy: script-src s.colnect.net *.google-analytics.com 'unsafe-inline'

We also receive hundreds of request like this originating from iframe elements included in our partners' site. I haven't figured out exactly what causes it but I updated the web server (Apache) configuration to include a CSP header in the response:

Header set Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'; img-src data:"

This prevents any injected content to be loaded or executed inside our frame, but it allows to use inline style tags and images with "data:" URIs which is enough in our case.