[tor-bugs] #11621 [HTTPS Everywhere: Chrome]: Pinterest.com doesn't render properly

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 27 05:40:05 UTC 2014 

#11621: Pinterest.com doesn't render properly
--------------------------------------+---------------------
 Reporter:  offby1                    |          Owner:  pde
     Type:  defect                    |         Status:  new
 Priority:  normal                    |      Milestone:
Component:  HTTPS Everywhere: Chrome  |        Version:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+---------------------
 See this screenshot:
 https://www.dropbox.com/s/7f1zhqer2363mkt/Screenshot%202014-04-26%2022.37.40.png
 Note that it says "Whoops! Something went wrong. Try again." at the
 bottom; that shouldn't be there (in fact, there should be more pictures of
 watches there).

 Also, lots of important-looking messages appear in the console; here are a
 few of them:

 Failed to load resource: the server responded with a status of 400 (Bad
 Request) https://a248.e.akamai.net/webapp/style/sprites/webapp-common-
 main-1x.2b10c974.png
 3
 XMLHttpRequest cannot load
 https://www.pinterest.com/resource/ContextLogResource/create/. No 'Access-
 Control-Allow-Origin' header is present on the requested resource. Origin
 'http://www.pinterest.com' is therefore not allowed access. (index):1
 [Report Only] Refused to load the stylesheet
 'https://a248.e.akamai.net/passets.pinterest.com.s3.amazonaws.com/webapp/style/app/desktop/bundle1.e55ce4e7.css'
 because it violates the following Content Security Policy directive:
 "default-src 'self' *.pinterest.com *.pinimg.com *.google.com
 connect.facebook.net *.google-analytics.com https://*.facebook.com
 *.facebook.com www.googleadservices.com googleads.g.doubleclick.net
 *.tiles.mapbox.com *.4sqi.net media.pinterest.com.s3.amazonaws.com
 'unsafe-inline' 'unsafe-eval'". Note that 'style-src' was not explicitly
 set, so 'default-src' is used as a fallback.
  (index):1
 [Report Only] Refused to load the stylesheet
 'https://a248.e.akamai.net/f/1586/2045/10m/passets-
 ak.pinterest.com/webapp/style/app/desktop/bundle2.139567db.css' because it
 violates the following Content Security Policy directive: "default-src
 'self' *.pinterest.com *.pinimg.com *.google.com connect.facebook.net
 *.google-analytics.com https://*.facebook.com *.facebook.com
 www.googleadservices.com googleads.g.doubleclick.net *.tiles.mapbox.com
 *.4sqi.net media.pinterest.com.s3.amazonaws.com 'unsafe-inline' 'unsafe-
 eval'". Note that 'style-src' was not explicitly set, so 'default-src' is
 used as a fallback.

 Disabling HTTPS Everywhere makes things work again.

 A few other people have also run into this:
 https://productforums.google.com/forum/#!topic/chrome/gf9-NjZxGjk

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11621>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list