Not upgrading the Steam Community (steamcommunity.com) on Chrome 62 Dev?

[dxgldotorg]

I go on the Steam Community recently, and "Not secure" pops up. (Mark non-secure origins as non-secure flag is set to Warn on HTTP after editing forms, per the October 2017 planned setting) Then I notice HTTPS Everywhere doesn't have a checkbox for steamcommunity.com.

Sometimes it seems I can jumpstart HTTPS by forcing it in the address bar, but lately more often than not the add-on doesn't seem to be working on Steam Community.

HTTPS Everywhere version is 2017.8.31 and Chrome version is Version 62.0.3198.0 (Official Build) dev (64-bit)

I posted a thread at https://steamcommunity.com/discussions/forum/1/1474221865197802337/ but not everyone seems fond of securing the Steam site.

[jeremyn]

HTTPS Everywhere rewrites the URL http://steamcommunity.com for me. You can check this by opening the developer console (F12) in the browser, click Network, and then visit the URL in that tab. You should see no activity to the unencrypted version of the URL.

Can you provide a specific URL where you see the problem and a screenshot of what the add-on UI (with the checkboxes etc) looks like on that page?

Also, side note, but "forcing"/manually adding https to a URL in the address bar does not mean all elements on a page (images etc) will be loaded securely. The site admins need to design the page to do that. HTTPS Everywhere however should check all outbound requests, so ideally even these numerous secondary requests for images etc can be checked and potentially rewritten to HTTPS.

[DelegatedCore]

Issues remains unsolved and is annoying because when logged in to the site through HTTPS it will keep throwing you to HTTP where you're not logged in. Have to manually add https:// to every link because https everywhere does nothing on steam. I know the plugin does actually force some connections to go through HTTPS but the secure cookie (from loggin in with https) is never loaded.

Super annoying

[jeremyn]

As I said before, http://steamcommunity.com is rewritten as expected for me. If you are talking about http://store.steampowered.com , that's a different thing.

Here are the relevant rulesets: Steam_Community.com.xml, Steam.xml. Note that the Steam.xml ruleset is off by default. Realistically if you want some problem fixed, you should consider writing a pull request yourself. There is a very large backlog as you can see.

[DelegatedCore]

It consistently fails to rewrite steamcommunity.com for me. Maybe because in my version of chrome sites with just http:// don't show that in the link bar.

I'll see what I can do for it.

[dxgldotorg]

Is it possible that Valve may be doing something weird to block the add-on from working properly?

[DelegatedCore]

Probably not but maybe. I found a reproducible way to see some links fail to be set to https:

After manually loading steamcommunity.com/id/whatever your profile is/ in https you can see that in the nav bar any links in community are still http:. Same with store and about. For the store dropdown that makes sense because, as jeremyn said, the ruleset for store is disabled. But the fact that the community and about links are not set to https is weird.

Another way to check it:

When on a badge page for which you don't own all cards to complete the badge, you can see that the links in the "Search the Market" buttons are still http even though they are steamcommunity.com/market/ links.

I don't understand why such links are not set to https unless they are loaded after https everywhere has already done its magic and stopped.

[jeremyn]

HTTPS Everywhere doesn't rewrite the links in the page content as you see it in your browser, meaning that if a link is presented to you in the original page as http:// , it will still appear as http:// when you hover your cursor over it. Instead, HTTPS Everywhere rewrites outbound HTTP requests to HTTPS. You can confirm this by watching the activity in your browser's developer tools (F12) > Network tab when you follow an http:// link.

It is extremely unlikely that Valve is doing anything to deliberately interfere with HTTPS Everywhere.

Can one of you try to reproduce this problem in a new Firefox or Chrome profile, with only HTTPS Everywhere installed, without changing any settings, and provide the specific URL you are clicking that doesn't get rewritten? Not a description of the type of URL, but an actual specific example.

[DelegatedCore]

I've done that and I'll be damned. I couldn't reproduce it. I will try to find what other extension is interfering with HTTPS Everywhere and I'll contact the developers of the offending extension. The first suspect was SteamWizard as it adds features specifically to Steam. But after disabling it the problem persisted. Then I turned off Tampermonkey and still the problem persisted. All that remains are Privacy Badger and uBlock origin. :/

I then thought "fuck it" and turned off all my extensions except for HTTPS Everywhere. And the problem persists.. I have no clue what the problem is now as the problem persisted even when I bring the state of my profile to default manually but with a new profile the problem doesn't exist?

So I did what I probably should've done earlier in the test: disable all other extensions and reinstall https everywhere from the chrome store. Because goddammit the problem is gone now... Even when I reactivated all my other extensions.

I don't understand why but it's fixed. Thanks for your help. :)

[DelegatedCore]

Btw the method I used to test was by going to steamcommunity.com and then from the community dropdown click on market and then click on the first item listed as https was always lost somewhere in that chain. Either when clicking on market or on a listing.

[DelegatedCore]

Ok so I did some more testing and turns out it's actually not resolved! Found this out when trying to buy cards to complete a badge.

Route: steamcommunity.com (https) -> inventory (https) -> card select into badge page (https) -> search the market for this item (http)

After finding this out the other route to reliably test (community dropdown into market and then any item listed) also no longer gets upgraded to https! On any of those links!

When I try with the empty chrome profile the problems don't appear so it requires more thinking. Maybe it's an issue of tampermonkey scripts interfering. Although the script I use only activates on a badge page and not any other page so I don't know why the market links are not upgraded anymore. Maybe the tampermonkey script triggers the bug that then remains even when the script is no longer running?

[DelegatedCore]

In case you want to take a look at the script in question: https://bitbucket.org/Doctor_McKay/steam-trading-card-bulk-buyer/raw/tip/badgebuy.user.js

I noticed in the source code that it always uses https links and has this check in it:

$(document).ready(function() { // Ensure that the page is loaded in HTTPS (Issue #19) if(document.location.protocol != "https:") { var badgePageUrl = window.location.href; badgePageUrl = badgePageUrl.replace("http://", "https://"); window.location.href = badgePageUrl; } And this: var url = card.find('.btn_grey_grey.btn_medium[href*=market]')[0].href; if (document.location.protocol == "https:") { url = url.replace("http://", "https://"); }

So maybe it really does interfere with https everywhere

[DelegatedCore]

In fact: I really think it interferes with https everywhere because I commented those two bits out and reinstalled https everywhere and now the issue is resolved again. I will make issue on that at the bitbucket page of the script.

[dxgldotorg]

@DelegatedCore Thanks for the advice, I uninstalled and reinstalled HTTPS Everywhere, and not it is working again.

By the way, you didn't need to ping me on Steam, I get e-mail notifications on GitHub.

[VenatusSimpleX]

@DelegatedCore Hi, I'm the current maintainer of the script in question. Thanks for directing my attention to this issue here.

The initial problem was that not everyone uses HTTPS Everywhere, so a measure was put in in order to ensure that the page was loaded in HTTPS.

In fact: I really think it interferes with https everywhere because I commented those two bits out and reinstalled https everywhere and now the issue is resolved again. I will make issue on that at the bitbucket page of the script.

This is odd, because with or without HTTPS Everywhere, the script succeeds to purchase any cards on my end.

However, I find that if I quickly purchase some cards right after it loads, the script fail to even load prices and will pop an error.

[DelegatedCore]

Well shit, that means these are two seperate problems. I just went to test again and immediately on going to "steamcommunity.com" it is not elevated to HTTPS all (nothing loads through https). Whereas on a fresh profile with HTTPS Everywhere it does work by immediately capturing the request and giving a 307 (internal redirect) to the browser.

I'm super confused at this point and feel like I can't help any further without specific direction.

@WilliamFeely Okay :)

[jeremyn]

I'm not sure what the status of this issue is, so let's do this:

@WilliamFeely Since you reported this issue, and the issue was that it wasn't rewriting steamcommunity.com, and now you say it's fixed (https://github.com/EFForg/https-everywhere/issues/12477#issuecomment-360839725), I think this issue should be closed. If you agree, please close it.

@DelegatedCore and @VenatusSimpleX I'm not sure what's going on with the problem you are describing. It seems like you are describing some complex problem involving another add-on that can only be verified by installing HTTPS Everywhere and this other add-on and then trying to buy Steam cards in bulk. Your best shot at getting the problem fixed will be to submit a pull request yourself. Take a look at our CONTRIBUTING.md guide. The ruleset logic is not complicated. Note however that you may need to wait a while to get your PR merged, if it gets merged at all. If for whatever reason you can't or don't want to submit a pull request, but you can identify the problem more specifically and in a reproducible way, you can create a new issue describing the problem.

Also, to everyone: please avoid profanity in comments, thanks.

[patheticcockroach]

The extension doesn't redirect http://steamcommunity.com to https://steamcommunity.com in Vivaldi for me - despite the rule being enabled. It used to work, it broke not very long ago (maybe about a month ago). Loading the HTTPS URL manually does work. Uninstalling then reinstalling the extension doesn't help.

[dxgldotorg]

@patheticcockroach Do you have any other extensions installed that perform URL rewriting? Sometimes these can conflict with HTTPS Everywhere.

[patheticcockroach]

I have uBlock, Ghostery, and ScriptSafe. They don't really rewrite URLs but they do block stuff. No issue on any site but Steam though

[Bisaloo]

@patheticcockroach, can you confirm that HTTPS Everywhere is working on other pages, such as http://freerangekitten.com/?

Vivaldi is apparently having issues with some extensions at the moment.

[patheticcockroach]

Wow, it actually doesn't... I guess Steam must be the only site I visit in Vivaldi where the HTTP->HTTPS transition isn't done by the site itself. A Vivaldi bug then, I'll forward this issue to https://vivaldi.com/bugreport/

[gloomy-ghost]

Casual clean up after merging #15087, is this issue still valid?

[patheticcockroach]

Works for me in Vivaldi

[pipboy96]

No longer reproducible.