Steps to reproduce
According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
In other words, e.g.
fetch('http://127.0.0.1:1234/foo/bar') on a HTTPS site should be allowed without triggering the mixed content blocker.
Note Chrome (and soon Firefox) only whitelist ‘127.0.0.1’ and '::1’. See:
Comments and activity
Changed Steps to Reproduce
- Microsoft Edge Team
Changed Assigned To to “Steven K.”
Changed Assigned To to “Venkat K.”
Changed Assigned To from “Venkat K.” to “Ali A.”
Changed Assigned To from “Ali A.” to “Rajat J.”
Changed Status to “Confirmed”
Changed Status from “Confirmed” to “In progress”
Changed Status from “In progress” to “Fixed”
Changed Status from “Fixed” to “Fixed, not yet flighted”
Has there been discussion of backporting this fix in a security update for IE11? In order to migrate to this model, we would need it to be supported across all major browsers, and IE11 looks like it’s becoming the sticking point.