SEC7111 HTTP security compromised by Microsoft Edge extension

Confirmed Issue #8748330 • Assigned to Nishant N.

Details

Author
Gee L.
Created
Sep 2, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
14.14393
Reports
Reported by 7 people

Sign in to watch or report this issue.

Steps to reproduce

Reproduction

  1. Install OneNote Web Clipper from Windows Store;
  2. Open any HTTPS-enabled website, e.g., microsoft.com;
  3. Press F12 to open dev tools, go to Console tab;
  4. Right-click the page, then click ‘OneNote Web Clipper’ context menu item;
  5. Observe the console.

Behaviour

The console is populated with a lot of SEC7111: HTTPS security is compromised by …

Expected Behaviour

Since the user is in control of the extensions, and ms-browser-extension does not initiate unsecure transfer over network, HTTPS security should not be thought to be compromised by ms-browser-extension protocol.

But if the extension accesses network resources, the check should be done accordingly.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To to “Sebastian P.”

    • I confirm that I have the same issue with my extensions.

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To from “Sermet I.” to “Scott L.”

      Changed Status to “Confirmed”

      Changed Assigned To to “Venkat K.”

    • I also experience SEC7111 warnings in F12 console.
      I use Microsoft Edge 38.14393.0.0 / EdgeHTML 14.14393
      I have only ‘Office Online’ extension installed.
      Entering for example this site:
      https://sekurak.pl/uwaga-na-najnowsze-rodzaje-skimmerow/
      no one of embedded YouTube videos is visible.

    • Microsoft Edge Team

      Changed Assigned To from “Venkat K.” to “Divya G.”

      Changed Assigned To from “Divya G.” to “Mohamed K.”

      Changed Assigned To from “Mohamed K.” to “Nishant N.”

    • Thanks for filing this bug! We’ve seen this bug internally as well, and it is a result of our developer tools displaying an error when they shouldn’t be. The underlying functionality works as expected (i.e. the extension checks when it has to and ignores extension-served resources on HTTPS sites under the hood), but the dev tools will still display errors regardless. We’ll address this in a future update, but hopefully this clarifies the issue a little.

      If you’re seeing a case where extension-served resources are actually blocked, please let us know and we will investigate further. 

    • Any update on this issue?

    You need to sign in to your Microsoft account to add a comment.

    Sign in