Inline SVG fails to render in security hardened environment

Confirmed Issue #7126567 • Assigned to Bogdan B.

Details

Author
Szpisjak D.
Created
Apr 6, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

  1. Create a site which employs HTTPS and HSTS headers.
  2. Place an iframe on this page which loads which’s source is also an HTTPS domain.
  3. The iframe has an inline SVG background specified as base64 data.
  4. When an image is loaded via HTTP (note the missing SSL) inside the iframe the inline SVG background fails to render. Without any warnings.
    Expected behaviour: The inline SVG should render correctly as in Chrome, Safari, Firefox.
    Console message includes a mixed content warning, which is ok:
SEC7111: HTTPS security is compromised by [image url]

Proof of concept page can be checked here: https://ie9-hsts.herokuapp.com/

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Rick J.”

    • If the page is good you should see a black check mark on the upper left corner of the red rectangle.

      We tested this under the following browsers:
      IE9 - no checkmark (BAD)
      IE10 - checkmark displayed (OK)
      IE11 - checkmark displayed (OK)
      EDGE - no checkmark (BAD)

    • Microsoft Edge Team

      Changed Assigned To to “Rick J.”

      Changed Assigned To to “Bogdan B.”

      Changed Status to “Confirmed”

    • Any update on this? This is blocking HSTS deployment for us!
      regards,
      Daniel

    • This seems to be fixed with the current latest of EDGE and IE9. Can you please confirm this on your side?

      regards,
      Daniel

    You need to sign in to your Microsoft account to add a comment.

    Sign in