Content from loopback addresses (e.g. should not be considered mixed content

Fixed Issue #18003417


Jun 22, 2018
This issue is public.
Reported by 14 people

Sign in to watch or report this issue.

Steps to reproduce

Check-in Instructions

Conflict Contact


Submitted by


What is the issue?

In general if we load any sub-resource over http protocol on a page hosted over https protocol, Edge by default block the sub-resource download and shows a notification to the user. 

For interop reasons we need treat resources from localhost and loopback address as secure even are loading over http protocol on an https page.

How was the issue/bug found?

CSS has requested to service the bug in order to unblock
Coca Cola.

Quantify the impact of the issue - why do we need to
service this issue now?


In fact, this bug
is impacting enterprise customers that use software from has over 85K customers and is on track to do $600M this year;
they’re one of the largest content management companies.

Problem comes when the hosting page is

similar) but an iframe is pulling localhost content via local host

Regression from RS3. We made a fix in RS3 for localhost
    but did not port it to the fetch layer.

Is the fix ready and what is it?

Fix is to treat resources loads over loopback and localhost as secure, so that Edge browser don’t block them by default

How was the fix Validated?

Repro provided by the customer:-

Host the attached content locally in IIS and then access the page using (Edge Mixed


The error we saw at the Edge’s console is SEC7111: HTTPS
security is compromised by


No error warning

Regression risk level of the fix


Has the fix been flighted in a RS5 flight?


Flighted in WIP Fast 

17692 on 6/13. No issues so far.

DRT added


Do you have any data points that can be monitored to
ensure that the fix works or if there are adverse effects from the fix?


Does this fix need to be backported to TH2, RS1,
RS2, RS3 or prior releases (for SAC/LTSB customers)?

RS4 and RS3 only

QD signing off on this change


How to validate/test for regressions
for WSD pre-release validation)

We already flighted the fix and haven’t seen any regression. Also added the test coverage along with the fix.

Is this Product regression or Servicing regression?

provide bug that caused the regression.

Product regression in RS3.

Release notes (if Rel Note field == Yes)


According to the spec, content from loopback addresses should no longer be treated as mixed content even in secure origins. See: - - In other words, e.g. fetch('') on a HTTPS site should be allowed without triggering the mixed content blocker. Note Chrome (and soon Firefox) only whitelist ‘’ and '::1’. See: - -


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Rajat J.”

      Changed Steps to Reproduce

      Changed Assigned To from “Rajat J.” to “Tony Z.”

      Changed Steps to Reproduce

      Changed Status to “In progress”

      Changed Assigned To from “Tony Z.” to “Robert Z.”

      Changed Assigned To from “Robert Z.” to “Taeksoo J.”

      Changed Assigned To from “Taeksoo J.” to “Prabs C.”

      Changed Status from “In progress” to “Fixed”

      Changed Assigned To from “Prabs C.” to “Robert Z.”

      Changed Assigned To from “Robert Z.” to “Prabs C.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in