19 Jun 2013, 23:13

Firefox 23 to block by default Mixed Active Content

What is the issue ?

A few definitions to start with :

  • Mixed content is when within a https page some content are displayed coming from a http one. The consequence is that the whole page is not encrypted and that it could be used for Man in the middle attack or other malicious code.
  • Mixed passive content (aka Mixed Display Content) : it is content that will not impact/alter your page except the portion of the page it is rendered ; you can safely think about images, video, audio and such contents. They are called inactive as when they are loaded, they will not change the behaviour of the page.
  • Mixed active content (aka Mixed Script Cotent) ; this content, on the opposite, has the ability to change the way the page is rendered and thus potentially get data from the user. It is about Javascript, CSS files, XHR requests (ajax), iframes or fonts

So from Firefox 23, only the Mixed Active Content would be blocked by default and reported to the user, which may allow you to load the blocked content. Mixed passive content will be still authorised

How can I test it ?

You can test before Firefox 23 is released by going to : about:config => promise => set "security.mixed_content.block_active_content" to true

You can also see it with the dev tools, you may see some [MIXED CONTENT] warnings in the web debug console.

How are you impacted you will ask ?

So if for your site you use https url, you definitely have to run some tests to check if you have some mixed content and fix it especillay if you have mixed active content.

Regarding Firefox Release

  • Current stable  release is Firefox 21
  • Firefox 22 is to be released on 24th June
  • No date yet for Firefox 23 but it will be for Q3 I think

Source