Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

Fixed, not yet flighted Issue #11963735

Open new issue

Browse all tracked issues

Details

Author
Birunthan M.
Created
May 10, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Secure Contexts

Reports
Reported by 9 people

Sign in to watch or report this issue.

Steps to reproduce

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:

In other words, e.g. fetch('http://127.0.0.1:1234/foo/bar') on a HTTPS site should be allowed without triggering the mixed content blocker.

Note Chrome (and soon Firefox) only whitelist ‘127.0.0.1’ and '::1’. See:

Attachments

0 attachments

    Comments and activity

    • Birunthan M. May 10, 2017 2017-05-10T17:09:06.38Z

      Changed Steps to Reproduce

    • Microsoft Edge Team

      Steven K. May 11, 2017 2017-05-11T16:42:22.48Z

      Changed Assigned To to “Steven K.”

      OSG V. Jun 13, 2017 2017-06-13T03:13:38.607Z

      Changed Assigned To to “Venkat K.”

      Venkat K. Jun 13, 2017 2017-06-13T22:19:56.27Z

      Changed Assigned To from “Venkat K.” to “Ali A.”

      Ali A. Jun 26, 2017 2017-06-26T17:35:09.01Z

      Changed Assigned To from “Ali A.” to “Rajat J.”

      Ali A. Jun 26, 2017 2017-06-26T17:35:09.01Z

      Changed Status to “Confirmed”

      Rajat J. Jun 27, 2017 2017-06-27T20:57:10.627Z

      Changed Status from “Confirmed” to “In progress”

      Rajat J. Jun 30, 2017 2017-06-30T02:43:50.13Z

      Changed Status from “In progress” to “Fixed”

      pbstools Jul 14, 2017 2017-07-14T05:58:51.103Z

      Changed Status from “Fixed” to “Fixed, not yet flighted”

    • Chris V. Aug 22, 2017 2017-08-22T14:26:52.693Z

      Has there been discussion of backporting this fix in a security update for IE11? In order to migrate to this model, we would need it to be supported across all major browsers, and IE11 looks like it’s becoming the sticking point.

    • Derek Z. Dec 2, 2017 2017-12-02T00:25:19.283Z

      Does “FIXED, NOT YET FLIGHTED” mean this issue will be fixed in a future release of Edge? Is there a particular version that will contains the fix?

    • Anonymous Apr 2, 2018 2018-04-02T03:36:07.18Z

      #16110645 was closed as a duplicate of this bug with an indication that the bug was solved in Edge 16245. However, this bug report is still listed as "Fixed, Not Yet Flighted". Please advise what that means…has the intended fix been released or not?

    • Jason M. Apr 23, 2018 2018-04-23T19:51:23.873Z Microsoft Edge Team

      Apologies for the lack of update to this issue. There’s a bug in the logic and fields we search on to automatically update the public bug status in some combinations. 

      This bug is closed and released. We shipped it with the Windows 10 Fall Creators update (1709). Again apologies this bug wasn’t automatically update to report the correct status.

    • Anonymous Apr 23, 2018 2018-04-23T20:02:24.72Z

      Jason M. - Appreciate the follow-up. However, I would urge the Edge Team to review the issue again. My understanding is that the Windows 10 Fall Creators update (1709) introduced this bug rather than resolving it.

    • Chris V. Apr 23, 2018 2018-04-23T21:01:11.82Z

      I agree. I have tested this issue with the latest version of Edge, but am still seeing the SEC7111: HTTPS security is compromised error. Jason M., you may want to review this ticket.

    You need to sign in to your Microsoft account to add a comment.

    Sign in