Opened 5 years ago

Closed 2 years ago

#11621 closed defect (worksforme)

Pinterest.com doesn't render properly

Reported by: offby1 Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/HTTPS Everywhere: Chrome Version:
Severity: Blocker Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See this screenshot: https://www.dropbox.com/s/7f1zhqer2363mkt/Screenshot%202014-04-26%2022.37.40.png Note that it says "Whoops! Something went wrong. Try again." at the bottom; that shouldn't be there (in fact, there should be more pictures of watches there).

Also, lots of important-looking messages appear in the console; here are a few of them:

Failed to load resource: the server responded with a status of 400 (Bad Request) https://a248.e.akamai.net/webapp/style/sprites/webapp-common-main-1x.2b10c974.png
3
XMLHttpRequest cannot load https://www.pinterest.com/resource/ContextLogResource/create/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.pinterest.com' is therefore not allowed access. (index):1
[Report Only] Refused to load the stylesheet 'https://a248.e.akamai.net/passets.pinterest.com.s3.amazonaws.com/webapp/style/app/desktop/bundle1.e55ce4e7.css' because it violates the following Content Security Policy directive: "default-src 'self' *.pinterest.com *.pinimg.com *.google.com connect.facebook.net *.google-analytics.com https://*.facebook.com *.facebook.com www.googleadservices.com googleads.g.doubleclick.net *.tiles.mapbox.com *.4sqi.net media.pinterest.com.s3.amazonaws.com 'unsafe-inline' 'unsafe-eval'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

(index):1

[Report Only] Refused to load the stylesheet 'https://a248.e.akamai.net/f/1586/2045/10m/passets-ak.pinterest.com/webapp/style/app/desktop/bundle2.139567db.css' because it violates the following Content Security Policy directive: "default-src 'self' *.pinterest.com *.pinimg.com *.google.com connect.facebook.net *.google-analytics.com https://*.facebook.com *.facebook.com www.googleadservices.com googleads.g.doubleclick.net *.tiles.mapbox.com *.4sqi.net media.pinterest.com.s3.amazonaws.com 'unsafe-inline' 'unsafe-eval'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Disabling HTTPS Everywhere makes things work again.

A few other people have also run into this: https://productforums.google.com/forum/#!topic/chrome/gf9-NjZxGjk

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by offby1

The version of HTTPS Everywhere is 2014.4.16.

comment:2 Changed 2 years ago by cypherpunks

Resolution: worksforme
Severity: Blocker
Status: newclosed

No longer reproducible.

FWIW most of the Pinterest.com.xml ruleset has been removed since it's HSTS preloaded now (only pinimg.com remains now), see: https://github.com/EFForg/https-everywhere/commit/454fb4a9a8f60ed7db6e0624637574b0534a6a14

Note: See TracTickets for help on using tickets.