Mozilla plans to launch a new feature in Firefox 60 that upgrades optionally-blockable mixed content on HTTPS sites to HTTPS if possible.
The migration to an HTTPS powered World Wide Web is in full swing. One of the byproducts of the migration is that some sites may load HTTPS and HTTP content. This is called Mixed Content and it is undesirable as it reduces security and privacy if loaded.
Mixed Content is divided into blockable and optionally-blockable content. Modern web browsers block any content that may interfere with the display of data on HTTPS web pages if it is loaded using HTTP.
Think of a script that is loaded from an HTTP resource on an HTTPS site. Browsers don’t block optionally-blockable content usually on the other hand. This is static content such as images or videos that can’t interfere with the web page or data directly.
Firefox displays a different lock symbol on sites with mixed content that is optionally blockable. The browser displays a green lock symbol on HTTPS sites without mixed content.
While optionally-blockable mixed content is less dangerous than blockable mixed content, it is still problematic from a privacy point of view.
HTTPS upgrade for Mixed Content in Firefox
Mozilla Firefox 60 includes a feature that changes the browser’s behavior when it comes to mixed content that is optionally blockable.
Firefox attempts to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains. If the resource cannot be loaded, it is not displayed at all. This can lead to image, video or audio content not being shown correctly in the browser because of the change.
The limitation is likely the main reason why Mozilla won’t activate the feature by default in Firefox 60.
The feature won’t be enabled by default in Firefox 60 but users can set it to enabled in the following way:
- Load about:config?filter=security.mixed_content.upgrade_display_content in the Firefox address bar.
- Double-click on the preference to set it to true.
You can revert the change at any time by setting the preference to false, or by right-clicking on it and selecting the reset option from the context menu.
Now You: Do you care about mixed content? (via Sören)
- Firefox 23 to block insecure contents from being loaded on https pages
- Firefox 59: Referer Path Stripping in Private Browsing
- Firefox 60: new “not secure” indicator preferences
- Firefox 60 with new preference to disable FTP
- Mozilla makes Firefox 60 next ESR target