[tor-bugs] #14120 [EFF-HTTPS Everywhere]: Akamai ruleset breaks steamcommunity.com in plaintext HTTP
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 6 09:17:49 UTC 2015
#14120: Akamai ruleset breaks steamcommunity.com in plaintext HTTP
----------------------------------+---------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Actual Points:
Parent ID: | Points:
----------------------------------+---------------------
I get a CSP error when loading steamcommunity urls over HTTP. HTTPS
Everywhere has Steam and Steam Community rulesets disabled by default, but
Akamai is enabled. Steam's servers send CSP headers for http://akamai when
accessed over HTTP, and https://akamai when accessed over HTTPS.
== URL tested ==
http://steamcommunity.com/market
== Error message ==
Content Security Policy: The page's settings blocked the loading of a
resource at
https://steamcommunity-a.akamaihd.net/public/javascript/modalContent.js?v=XZKI05CNhf-y&l=english
("script-src http://steamcommunity.com 'unsafe-inline' 'unsafe-eval'
http://steamcommunity-a.akamaihd.net https://api.steampowered.com
http://www.google-analytics.com https://ssl.google-analytics.com").
== Workaround ==
Page works if I enable Steam and Steam Community rulesets.
I am unable to include CSP headers in the ticket description because Trac
flags the ticket as spam. If possible, I will include headers in comments.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14120>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list