Steps to reproduce
Steps to reproduce:
- Launch Edge, and navigate to https://www.ncdot.gov/dmv/driver/id/
- After the page is fully loaded, you can see there’s no lock icon in the address bar. Then click on the address bar, you can see the webpage does use HTTPS.
- Open F12. Go to Console panel. Refresh the page. You can see an error message: "SEC7111: HTTPS security is compromised by data:image/png;base64,[…]"
- Repeat steps 1-3 in IE 11, Firefox, and Chrome. Images with data URI are not treated as mixed content in these browsers.
The behavior in Edge that resources with data URI are treated as mixed content is wrong according to the W3C spec "Mixed Content", which says "we also don’t wish to block [data URLs] as mixed content, as they never hit the network".  This wrong behavior also affects user experience, since users can’t see the lock icon even though the site uses HTTPS correctly.
Comments and activity
Edge version: EdgeHTML 15.15063 on Windows 10 Build 15063 x64 with updates up to August 2017.
- Microsoft Edge Team
Changed Assigned To to “Steven K.”
I am not able to repro this issue on 15063.540. Can you verify that this issue still is occurring on that site? Perhaps the site has been modified.
I will create a simplified repro to text data URI usage.
I can’t reproduce it on that site either now. I will post back if I find out a way to repro this issue with a simplified PoC.
Thanks for the quick reply. Will you tell me the extended version of Windows you are using? E.g. 15650.xxx
To get the
Windows 10 version number, use the keyboard shortcut Win + S and then type ‘winver’
without the quotation marks and hit the enter key.
Also, I was thinking this could be related to this bug report:
However, that bug report was with an extension and your submission actually disables the lock icon from displays, I.e. has an impact to the session.
The extended version is: 15063.540. I don’t have any extensions installed. Thank you for your investigation!