Content from loopback addresses (e.g. should not be considered mixed content

Fixed, not yet flighted Issue #11963735


Birunthan M.
May 10, 2017
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Secure Contexts

Reported by 8 people

Sign in to watch or report this issue.

Steps to reproduce

According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:

In other words, e.g. fetch('') on a HTTPS site should be allowed without triggering the mixed content blocker.

Note Chrome (and soon Firefox) only whitelist ‘’ and '::1’. See:


0 attachments

    Comments and activity

    • Changed Steps to Reproduce

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Ali A.”

      Changed Assigned To from “Ali A.” to “Rajat J.”

      Changed Status to “Confirmed”

      Changed Status from “Confirmed” to “In progress”

      Changed Status from “In progress” to “Fixed”

      Changed Status from “Fixed” to “Fixed, not yet flighted”

    • Has there been discussion of backporting this fix in a security update for IE11? In order to migrate to this model, we would need it to be supported across all major browsers, and IE11 looks like it’s becoming the sticking point.

    • Does “FIXED, NOT YET FLIGHTED” mean this issue will be fixed in a future release of Edge? Is there a particular version that will contains the fix?

    You need to sign in to your Microsoft account to add a comment.

    Sign in