Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by cypherpunks@cypherpunks

Akamai ruleset breaks steamcommunity.com in plaintext HTTP

I get a CSP error when loading steamcommunity urls over HTTP. HTTPS Everywhere has Steam and Steam Community rulesets disabled by default, but Akamai is enabled. Steam's servers send CSP headers for http://akamai when accessed over HTTP, and https://akamai when accessed over HTTPS.

URL tested

http://steamcommunity.com/market

Error message

Content Security Policy: The page's settings blocked the loading of a resource at https://steamcommunity-a.akamaihd.net/public/javascript/modalContent.js?v=XZKI05CNhf-y&l=english ("script-src http://steamcommunity.com 'unsafe-inline' 'unsafe-eval' http://steamcommunity-a.akamaihd.net https://api.steampowered.com http://www.google-analytics.com https://ssl.google-analytics.com").

Workaround

Page works if I enable Steam and Steam Community rulesets.

I am unable to include CSP headers in the ticket description because Trac flags the ticket as spam. If possible, I will include headers in comments.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information