Inline SVG fails to render in security hardened environment

Needs root cause Issue #7126567 • Assigned to Bogdan B.


Szpisjak D.
Apr 6, 2016
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Needs root cause
Sign in to suggest a root cause.
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

  1. Create a site which employs HTTPS and HSTS headers.
  2. Place an iframe on this page which loads which’s source is also an HTTPS domain.
  3. The iframe has an inline SVG background specified as base64 data.
  4. When an image is loaded via HTTP (note the missing SSL) inside the iframe the inline SVG background fails to render. Without any warnings.
    Expected behaviour: The inline SVG should render correctly as in Chrome, Safari, Firefox.
    Console message includes a mixed content warning, which is ok:
SEC7111: HTTPS security is compromised by [image url]

Proof of concept page can be checked here:


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Rick J.”

    • If the page is good you should see a black check mark on the upper left corner of the red rectangle.

      We tested this under the following browsers:
      IE9 - no checkmark (BAD)
      IE10 - checkmark displayed (OK)
      IE11 - checkmark displayed (OK)
      EDGE - no checkmark (BAD)

    • Microsoft Edge Team

      Changed Assigned To to “Rick J.”

      Changed Assigned To to “Bogdan B.”

      Changed Status to “Confirmed”

    • Any update on this? This is blocking HSTS deployment for us!

    • This seems to be fixed with the current latest of EDGE and IE9. Can you please confirm this on your side?


    • Microsoft Edge Team

      Changed Status from “Confirmed” to “Won’t fix”

      Changed Status from “Won’t fix” to “Needs root cause”

    • Reactivating auto-resolved valid bugs reported by web dev community. Those were not expected to be resolved. We apologize for any inconvenience!

    • Microsoft Edge Team

      Changed Assigned To to “Bogdan B.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in