Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages.
When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.
What types of Mixed Content are blocked by default and what types are not? The browser security community has divided mixed content into two categories: Mixed Active Content (like scripts) and Mixed Passive Content (like images). Mixed Active Content is considered more dangerous than Mixed Passive Content because the former can alter the behavior of an HTTPS page and potentially steal sensitive data from users. Firefox 23+ will block Mixed Active Content by default, but allows Mixed Passive Content on HTTPS pages. For more information on the differences between Mixed Active and Mixed Passive Content, see here.
Mixed Content Blocker UI
Designing UI for security is always tricky. How do you inform the user about a potential security threat without annoying them and interrupting their task?
Larissa Co (@lyco1) from Mozilla’s User Experience team aimed to solve this problem. She created a Security UX Framework with a set of core principles that drove the UX design for the Mixed Content Blocker.
When a user visits an HTTPS page with blocked Mixed Active Content, they will see a shield icon in the location bar:
Clicking on the shield, the user will see options to “Learn More”, “Keep Blocking”, or “Disable Protection on This Page”:
If a user decides to “Keep Blocking”, the notification in the location bar will disappear:
On the other hand, if a user decides to “Disable Protection on This Page”, all mixed content will load and the lock icon will be replaced with a yellow warning sign:
When a user visits an HTTPS page with Mixed Passive Content, Firefox will not block the passive content by default. But since the page is not fully encrypted, the user will not see the lock icon in the location bar:
We have a master tracking bug for websites that break when Mixed Active Content is blocked in Firefox 23+. In addition to websites that our users have been reporting to us, we are running automated tests on the Top Alexa websites looking for pages with Mixed Active Content. If you run into a compatibility issue with a website involving mixed content, please let us know in the master bug, or take a step further and contact the website to let them know. Chances are, their website is also broken on Chrome and/or Internet Explorer. Chrome and Internet Explorer also have Mixed Content Blockers, but their definitions of Mixed Active and Mixed Passive Content differ from slightly from Firefox’s definition.
Want to learn more?
Still curious and want to learn more details about the Mixed Content Blocker in Firefox? Check out this more detailed blog post or feel free to ask us questions on mozilla.dev.security.