Opened 4 years ago

Last modified 19 months ago

#14120 new defect

Akamai ruleset breaks steamcommunity.com in plaintext HTTP

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I get a CSP error when loading steamcommunity urls over HTTP. HTTPS Everywhere has Steam and Steam Community rulesets disabled by default, but Akamai is enabled. Steam's servers send CSP headers for http://akamai when accessed over HTTP, and https://akamai when accessed over HTTPS.

URL tested

http://steamcommunity.com/market

Error message

Content Security Policy: The page's settings blocked the loading of a resource at https://steamcommunity-a.akamaihd.net/public/javascript/modalContent.js?v=XZKI05CNhf-y&l=english ("script-src http://steamcommunity.com 'unsafe-inline' 'unsafe-eval' http://steamcommunity-a.akamaihd.net https://api.steampowered.com http://www.google-analytics.com https://ssl.google-analytics.com").

Workaround

Page works if I enable Steam and Steam Community rulesets.

I am unable to include CSP headers in the ticket description because Trac flags the ticket as spam. If possible, I will include headers in comments.

Child Tickets

Change History (3)

comment:2 Changed 4 years ago by cypherpunks

CSP headers for https://steamcommunity.com/market

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://steamcommunity-a.akamaihd.net/ https://api.steampowered.com/ http://www.google-analytics.com https://ssl.google-analytics.com; object-src 'none'; connect-src 'self' https://steamcommunity.com http://steamcommunity.com https://api.steampowered.com/; frame-src 'self' http://store.steampowered.com/ https://store.steampowered.com/ http://www.youtube.com https://www.youtube.com; report-uri /actions/CSPReport

report-uri is set so Steam should be getting reports (verified in Network tab in Firefox dev tools), but there may also be an issue in HTTPS Everywhere with the mixed content of Akamai enabled by default and Steam disabled by default.

comment:3 Changed 19 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.