Outlook Add-in not working ONLY in Outlook for Web in IE 11

Question

Outlook Add-in that we developed works in native Outlook apps and Outlook for Web on Chrome with no problems, but we can't get it run on IE 11.

We get the following errors in console on IE 11:

SEC7111: HTTPS security is compromised by res://ieframe.dll/errorPageStrings.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPagesScripts.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/red_x.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/background_gradient.jpg
SEC7111: HTTPS security is compromised by res://ieframe.dll/forbidframing.htm
SEC7111: HTTPS security is compromised by res://ieframe.dll/errorPageStrings.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPagesScripts.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/red_x.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/background_gradient.jpg

We examined the network request. The server returns the HTML content but for some reason that content isn't rendered on the screen. Instead this is:

Because of this problem, we can't pass Office store validation. We are looking for a solutions which we can apply to our code without needing a user to update it's IE security options. Please help! Thank you

In addition to Deepak's answer, make sure you are using a fully trusted SSL certificate for the URL that is serving the add-in pages/scripts. If the certificate is not fully trusted, the add-in may not show. — Brian Clink, Sep 27 '19 at 15:22

score 0 · Answer 1 · answered Sep 23 '19 at 14:41

This is mixed content related error.

The mixed content warning occurs when a web developer references an insecure (http) resource within a secure (https) page. Such references create vulnerabilities that put the privacy and integrity of an otherwise-secure page at risk, because the insecure content could be modified in transit. If added to the DOM, insecurely-delivered content can read or alter the rest of the page even if the bulk of the page was delivered over a secure connection. These types of vulnerabilities are becoming increasingly dangerous as more users browse using untrusted networks (e.g. at coffee shops), and as attackers improve upon DNS-poisoning techniques and weaponize exploits against unsecure traffic.

For security and user-experience reasons, mixed content vulnerabilities should be fixed by the web developer. In principle, this is very simple: within a HTTPS page, never include a link to a HTTP-delivered resource.

User can also try to enable the display mixed content option in security tab of Internet options.