Content from loopback addresses (e.g. 127.0.0.1) should not be considered mixed content

Duplicate Issue #16110645 • See Issue #11963735

Details

Author
Sai d.
Created
Feb 26, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Duplicates
See progress on Bug #11963735
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

According to the w3c spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
https://github.com/w3c/webappsec-mixed-content/commit/349501cdaa4b4dc1e2a8aacb216ced58fd316165
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

In other words, e.g. fetch(‘http://127.0.0.1:1234/foo/bar’) on a HTTPS site should be allowed without triggering the mixed content blocker.

Note Chrome and FireFox only whitelist ‘127.0.0.1’ and '::1’. See:
https://chromium.googlesource.com/chromium/src.git/+/130ee686fa00b617bfc001ceb3bb49782da2cb4e
https://bugzilla.mozilla.org/show_bug.cgi?id=903966

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “James M.”

    • Hi James, are there any updates to this issue?

    • Any update?

    • Microsoft Edge Team

      Changed Status to “Duplicate”

    • Hello,

      Thank you for providing this information about the issue. We previously confirmed the problem and published a solution in Edge 16245. We are resolving this issue as a duplicate of an existing internal bug report. We look forward to additional feedback you may have on how we can improve Microsoft Edge.

      Best Wishes,
      The MS Edge Team

    • This bug has marked as duplicate. Please follow the parent issue to get new updates.

    You need to sign in to your Microsoft account to add a comment.

    Sign in