Images with data URI shouldn't cause mixed content warning

Issue #13273461 • Assigned to Steven K.

Details

Author
Xiaoyin L.
Created
Aug 15, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Mixed Content

Found in build #
15.15063
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Steps to reproduce:

  1. Launch Edge, and navigate to https://www.ncdot.gov/dmv/driver/id/
  2. After the page is fully loaded, you can see there’s no lock icon in the address bar. Then click on the address bar, you can see the webpage does use HTTPS.
  3. Open F12. Go to Console panel. Refresh the page. You can see an error message: "SEC7111: HTTPS security is compromised by data:image/png;base64,[…]"
  4. Repeat steps 1-3 in IE 11, Firefox, and Chrome. Images with data URI are not treated as mixed content in these browsers.

The behavior in Edge that resources with data URI are treated as mixed content is wrong according to the W3C spec "Mixed Content", which says "we also don’t wish to block [data URLs] as mixed content, as they never hit the network". [1] This wrong behavior also affects user experience, since users can’t see the lock icon even though the site uses HTTPS correctly.

[1] https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url

Attachments

Comments and activity

  • Edge version: EdgeHTML 15.15063 on Windows 10 Build 15063 x64 with updates up to August 2017.

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi 
    Xiaoyin,

    I am not able to repro this issue on 15063.540.  Can you verify that this issue still is occurring on that site?  Perhaps the site has been modified.

    I will create a  simplified repro to text data URI usage.

    Steve

  • I can’t reproduce it on that site either now. I will post back if I find out a way to repro this issue with a simplified PoC.

  • Thanks for the quick reply.  Will you tell me the extended version of Windows you are using?  E.g. 15650.xxx  

    To get the
    Windows 10 version number, use the keyboard shortcut Win + S and then type ‘winver’
    without the quotation marks and hit the enter key.

    Also, I was thinking this could be related to this bug report:
    https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8748330/

    However, that bug report was with an extension and your submission actually disables the lock icon from displays, I.e. has an impact to the session.

  • The extended version is: 15063.540. I don’t have any extensions installed. Thank you for your investigation!

You need to sign in to your Microsoft account to add a comment.

Sign in