CSP violation incorrectly indicates as mixed content

Fixed, not yet flighted Issue #8098084

Details

Author
Xiaoyin L.
Created
Jul 6, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
13.10586
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Steps to reproduce:

  1. Visit https://education.github.com/ in Edge.
  2. You can see that the lock icon doesn’t exist on the address bar.
  3. Open F12 Console. Refresh the page. You can see:
    SEC7111: HTTPS security is compromised by https://education.github.com/
    CSP14312: Resource violated directive [...] in Content-Security-Policy: https://education.github.com/. Resource will be blocked.
  4. Do steps 1-3 in Chrome.

It is obviously wrong that “HTTPS security is compromised by https://education.github.com/

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Christian F.”

  • there is mixed content on the page
    CSP14312: Resource violated directive ‘frame-src *.vimeo.com *.olark.com platform.twitter.com connect.facebook.net *.facebook.com’ in Content-Security-Policy: https://education.github.com/. Resource will be blocked.

  • Firefox reports
    Content Security Policy: The page’s settings blocked the loading of a resource at data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vYW5hbHl0aWNzL2Rldmd1aWRlcy9jb2xsZWN0aW9uL2FuYWx5dGljc2pzLwoJdmFyIG5vb3BmbiA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgbm9vcG51bGxmbiA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBudWxsOwoJfTsKCS8vCgl2YXIgVHJhY2tlciA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgcCA9IFRyYWNrZXIucHJvdG90eXBlOwoJcC5nZXQgPSBub29wZm47CglwLnNldCA9IG5vb3BmbjsKCXAuc2VuZCA9IG5vb3BmbjsKCS8vCgl2YXIgZ2FOYW1lID0gd2luZG93Lkdvb2dsZUFuYWx5dGljc09iamVjdCB8fCAnZ2EnOwoJdmFyIGdhID0gZnVuY3Rpb24oKSB7CgkJdmFyIGxlbiA9IGFyZ3VtZW50cy5sZW5ndGg7CgkJaWYgKCBsZW4gPT09IDAgKSB7CgkJCXJldHVybjsKCQl9CgkJdmFyIGYgPSBhcmd1bWVudHNbbGVuLTFdOwoJCWlmICggdHlwZW9mIGYgIT09ICdvYmplY3QnIHx8IGYgPT09IG51bGwgfHwgdHlwZW9mIGYuaGl0Q2FsbGJhY2sgIT09ICdmdW5jdGlvbicgKSB7CgkJCXJldHVybjsKCQl9CgkJdHJ5IHsKCQkJZi5oaXRDYWxsYmFjaygpOwoJCX0gY2F0Y2ggKGV4KSB7CgkJfQoJfTsKCWdhLmNyZWF0ZSA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBuZXcgVHJhY2tlcigpOwoJfTsKCWdhLmdldEJ5TmFtZSA9IG5vb3BudWxsZm47CglnYS5nZXRBbGwgPSBmdW5jdGlvbigpIHsKCQlyZXR1cm4gW107Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs= (“script-src https://education.github.com https://dwa5x7aod66zk.cloudfront.net ‘unsafe-eval’ ‘unsafe-inline’ https://www.google.com https://www.google-analytics.com https://api.demandbase.com https://.olark.com https://platform.twitter.com https://connect.facebook.net https://.facebook.com https://s3-eu-west-1.amazonaws.com/share.typeform.com/*”).

  • Microsoft Edge Team

    Changed Assigned To to “Ted D.”

    Changed Status to “Confirmed”

    Changed Assigned To from “Ted D.” to “Liang Z.”

    Changed Status from “Confirmed” to “Fixed, not yet flighted”

  • Thanks for reporting the issue. It is fixed in code for
    future releases of Edge.

    The lock icon will be kept. And aligning with Chrome and
    Firefox, Edge will not log either of the console messages.

    All the best,

    The MS Edge Team

  • Microsoft Edge Team

    Changed Status from “Fixed, not yet flighted” to “Fixed, flighted”

    Changed Status from “Fixed, flighted” to “Fixed, not yet flighted”

You need to sign in to your Microsoft account to add a comment.

Sign in