[tor-bugs] #14120 [EFF-HTTPS Everywhere]: Akamai ruleset breaks steamcommunity.com in plaintext HTTP

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 6 09:17:49 UTC 2015


#14120: Akamai ruleset breaks steamcommunity.com in plaintext HTTP
----------------------------------+---------------------
 Reporter:  cypherpunks           |          Owner:
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:
Component:  EFF-HTTPS Everywhere  |        Version:
 Keywords:                        |  Actual Points:
Parent ID:                        |         Points:
----------------------------------+---------------------
 I get a CSP error when loading steamcommunity urls over HTTP. HTTPS
 Everywhere has Steam and Steam Community rulesets disabled by default, but
 Akamai is enabled. Steam's servers send CSP headers for http://akamai when
 accessed over HTTP, and https://akamai when accessed over HTTPS.

 == URL tested ==

 http://steamcommunity.com/market

 == Error message ==

 Content Security Policy: The page's settings blocked the loading of a
 resource at
 https://steamcommunity-a.akamaihd.net/public/javascript/modalContent.js?v=XZKI05CNhf-y&l=english
 ("script-src http://steamcommunity.com 'unsafe-inline' 'unsafe-eval'
 http://steamcommunity-a.akamaihd.net https://api.steampowered.com
 http://www.google-analytics.com https://ssl.google-analytics.com").

 == Workaround ==

 Page works if I enable Steam and Steam Community rulesets.

 I am unable to include CSP headers in the ticket description because Trac
 flags the ticket as spam. If possible, I will include headers in comments.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14120>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list