Firefox 23 to Block Mixed Content

Firefox 23 is due for release on 17 May 2013. An important update with this release will be the default setting to block mixed content on websites.

What is mixed content?
This is when a page loaded over https also contains elements which are loaded over http. These elements can include css files, images, javascript and iframes. As part of the update Firefox is making two distinctions with mixed content.

Mixed Passive Content
This is content that is loaded over http but is unable to affect the actual coding of the page. For example an image loaded in the browser is unable to affect the scripted actions of the page. However an attacker would be able to intercept the headers of the image request and obtain information such as user agent and cookies.

Requests that include Mixed Passive Content over https will load but the padlock will not be shown in Firefox.

FireFox Mixed Content No Padlock

Mixed Active Content
These are page elements which can have a major impact in the security of the page. These include objects such as javascript, CSS, iframes, fonts. When Firefox loads a website with this type of content present then it will block the content and show a shield in the address bar.

Firefox Mixed Active Content Shield

When a user clicks the shield they get the option to Keep blocking or disable the protection for that page.

If the user opts to disable the protection then the page will load including the mixed content but the address bar will show a yellow warning triangle.

Firefox Mixed Content Warning

Removing mixed Content from Your Website
Many web designers have grown a little lazy and will often insert elements on the website that fail to load over https. Now is the ideal time to clean this up. Especially since you may start scaring away Firefox users. A good way to do this is whenever you are inserting third party scripts on your website make sure they are either using https or protocol relative links.

A quick search of your website source code for

src="http://

will help highlight areas you are calling objects via non https sources. Is your website clean of mixed content warnings?

Images from Mixed Content Blocking Enabled in Firefox 23!

About Servertastic

Servertastic is a Platinum SSL Reseller. We supply RapidSSL, Geotrust, Thawte and Symantec SSL certificates at up to 80% discount.