Opened 6 years ago

Last modified 3 years ago

#14120 new defect

Akamai ruleset breaks in plaintext HTTP

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I get a CSP error when loading steamcommunity urls over HTTP. HTTPS Everywhere has Steam and Steam Community rulesets disabled by default, but Akamai is enabled. Steam's servers send CSP headers for http://akamai when accessed over HTTP, and https://akamai when accessed over HTTPS.

URL tested

Error message

Content Security Policy: The page's settings blocked the loading of a resource at ("script-src 'unsafe-inline' 'unsafe-eval'").


Page works if I enable Steam and Steam Community rulesets.

I am unable to include CSP headers in the ticket description because Trac flags the ticket as spam. If possible, I will include headers in comments.

Child Tickets

Change History (3)

comment:2 Changed 6 years ago by cypherpunks

CSP headers for

script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src 'self'; frame-src 'self'; report-uri /actions/CSPReport

report-uri is set so Steam should be getting reports (verified in Network tab in Firefox dev tools), but there may also be an issue in HTTPS Everywhere with the mixed content of Akamai enabled by default and Steam disabled by default.

comment:3 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.