Mixed Content Blocking Enabled in Firefox 23!

371

For the last few months, I’ve been working on the Mixed Content Blocker for Firefox.  I’ve been landing patches since Firefox 18 in hope of reaching this day. Mixed Active Content is now blocked by default in Firefox 23!

What is Mixed Content?

When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits a page served over HTTPS, their connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.

However, if an HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS.  When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted over HTTP.  The Mixed Content Blocker blocks certain HTTP requests on HTTPS pages.

What do I mean by “certain HTTP requests”?  Why wouldn’t the Mixed Content Blocker just block all HTTP requests?  To answer this question, I will first explain how the browser security community divides mixed content into two categories; Mixed Active Content and Mixed Passive Content.

Mixed Content Classifications

Mixed Passive Content (a.k.a. Mixed Display Content).

Mixed Passive Content is HTTP Content on an HTTPS website that cannot alter the Document Object Model (DOM) of the webpage.  More simply stated, the HTTP content has a limited effect on the HTTPS website.  For example, an attacker could replace an image served over HTTP with an inappropriate image or a misleading message to the user. However, the attacker would not have the ability to affect the rest of the webpage, only the section of the page where the image is loaded.

An attacker could infer information about the user’s browsing activities by watching which images are served to the user.  Since certain images may only appear on a specific webpage, a request for an image could tell the attacker what webpage the user is visiting. Moreover, the attacker can observe the HTTP headers sent with the image, including the user agent string and any cookies associated with the domain the image is served from.  If the image is served from the same domain as the main webpage, then the protection HTTPS provides to the user’s account becomes useless, since an attacker can read the user’s cookies from image request headers[1].

Examples of Passive Content are images, audio, and video loads.  Requests made by objects have also fallen into this category for now; the reasons for this are discussed further in the Appendix.

Mixed Active Content (a.k.a. Mixed Script Content)

Mixed Active Content is content that has access to and can affect all or parts of the Document Object Model (DOM) of an HTTPS page. This type of mixed content can alter the behavior of an HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks already described for Mixed Passive Content above, Mixed Active Content is also exposesd to a number of additional attack vectors.

A MITM attacker can intercept requests for HTTP active content. The attacker can then re-write the response to include malicious JavaScript code. Malicious script can steal the user’s credentials, acquire sensitive data about the user, or attempt to install malware on the user’s system (by leveraging vulnerable plugins the user has installed, for example).

Examples of Active Content are JavaScript, CSS, objects, xhr requests, iframes, and fonts.

What will the Mixed Content Blocker block?

The Mixed Content Blocker will block Mixed Active Content requests in Firefox 23.  This reduces the threat to the user, but does not eliminate it completely because Mixed Passive Content is still permitted.  Users can decide to block Mixed Passive Content as well by following a couple simple steps[2].

Why are we reducing the threat instead of eliminating the threat?  Unfortunately, the web is not ready for Firefox to block Mixed Passive Content.  Mixed Passive Content is still common on the web.  For example, many HTTPS webpages include HTTP images.  Too many pages would break if we blocked Mixed Passive Content (ex: https://youtube.com).  Hence, Firefox would alert users too often and contribute to security warning fatigue.

Moreover, blocking Mixed Passive Content could cause considerable user experience issues for users with low bandwidth connections.  To avoid generating a browser security warning, websites will begin removing Mixed Passive Content from their HTTPS sites by replacing HTTP images and videos with their HTTPS equivalent versions.  When low bandwidth users visit the HTTPS site, all image loads and video streams would be encrypted and there would be considerable lag in the page’s load time and the time it takes for videos to buffer.  With Mixed Active Content, bandwidth considerations are not as big of an issue since Mixed Active Content loads (ex: scripts, stylesheets) are usually a few KB, compared to Mixed Passive Content loads which often contain multiple MBs of data.

The risk involved with Mixed Content (active or passive) also depends on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world, or it may have private data that is only visible when authenticated. If an HTTP webpage is public and doesn’t have any sensitive data, the use of Mixed Content on that site still provides the attacker with the opportunity to redirect requests to other HTTP URLs and steal HTTP cookies from those sites.

I don’t have Firefox 23 yet.  Can I enable the Mixed Content Blocker?

Work on the Mixed Content Blocker first landed in Firefox 18 and has been incrementally improving since.

The Mixed Content Blocker UI does not exist in Firefox 18, 19, and 20.  You can turn the feature on BUT if you encounter a page that breaks because a mixed content resource is blocked, the only way to fix the page and load the insecure content is to turn the feature off.  This makes the feature difficult to use in FF 18, 19 and 20.

Firefox 21 and 22 (currently Firefox Beta and Aurora, respectively) shipped with the Mixed Content Blocking UI.  You can turn on the feature and try it out[3]!  (Note that there is a case that is incorrectly blocked in Firefox 21 that was fixed in Firefox 22 with Bug 841850).

Mixed Content Blocker UI

Designing UI for security is always tricky.  How do you inform the user about a potential security threat without annoying them and interrupting their task?

Larissa Co (@lyco1) from Mozilla’s User Experience team aimed to solve this problem.  She created a Security UX Framework with a set of core principles that drove the UX design for the Mixed Content Blocker.  If you’re interested in learning more about this process, I encourage you to check out the Mixed Content Design Specification and Larissa’s presentation on Designing Meaningful and Usable Security Experiences.

So what does the UI look like?  If a user visits an HTTPS page with Mixed Active Content, they will see the following in the location bar:

Shield Icon Doorhanger shown on HTTPS page with Mixed Active Content

Clicking on the shield, they will see options to Learn More, Keep Blocking, or Disable Protection on This Page:

Shield Doorhanger Drop Down UI

If a user decides to “Keep Blocking”, the notification in the location bar will disappear:

If the user decides to Keep Blocking, the shield will disappear.

On the other hand, if a user decides to “Disable Protection on This Page”, all mixed content will load on the HTTPS page and the Lock icon will be replaced with a Yellow Warning Triangle:

Yellow Warning Triangle appears after the user Disables Protection

If the user is unsure what to do, they can opt to learn more by clicking on the “Learn More” link. The user can also select “Not Now” or the “x” at the top of the drop down box to defer their decision until later.

If a user visits an HTTPS page with Mixed Passive Content, Firefox will not block the passive content by default (see What will the Mixed Content Blocker block?).  But, since Mixed Passive Content does exist on the page, it is not fully encrypted and the user will not see the lock icon in the location bar:

A page with Mixed Passive Content will show the Globe icon instead of the Lock icon.Mixed Content Frames

Note that frames are classified as Mixed Active Content.  This has been a source of debate and browser vendors haven’t quite settled on whether mixed content frames should be considered active or passive.  Firefox and Internet Explorer consider frames Mixed Active Content, while Chrome considers frames Mixed Passive Content.

When trying to determine whether a load is passive or active, I ask myself “can the content affect the DOM of the page?”.  With frames, this gets a little tricky.  Technically, an HTTP frame cannot affect the DOM of its HTTPS page and hence could fall into the Mixed Passive Content category.

When we dig further, however, we find reasons to push frames into the Mixed Active Content category.  A frame has the ability to navigate the top level page and redirect a user to a malicious site.  Frames can also trick users into disclosing sensitive information to attackers.  For example, assume a user is on an HTTPS page that embeds an HTTP frame.  An attacker can MITM the frame and replace its content with a form.  The form may ask the user to login or create an account. Most users are oblivious to the concept of framing pages and have no idea that it is the HTTP frame that contains the form and not the HTTPS website. Assuming they are on the HTTPS encrypted page, the user enters their personal information.  This information is then sent to the attacker without the user’s knowledge.

Remaining Edge Case

Many edge cases were found while developing the Mixed Content Blocker.  Some of these edge cases have been resolved, some are pending development, and some are open questions that require further discussion.

We did not want to wait until all possible issues were resolved before turning Mixed Active Content blocking on by default for our users.  But at the same time, if we turned the feature on with too many false positives, we would be unnecessarily alerting users and contributing to security warning fatigue.  (False positives are cases where the Mixed Content Blocker mistakenly blocks content that should have been permitted.)  Hence, I worked to eliminate all false positive issues that I was aware of before turning on the Mixed Content Blocker.

On the other hand, there are still a number of false negatives that remain open. This means that there are certain cases where the Mixed Content Blocker does not block content that should have been blocked.  We still decided to turn the feature on because we believe we should protect our users as soon as possible, even if our solution is not 100% perfect yet.  The false negatives are valid issues and affect the safety of our users.  Engineering solutions for these edge cases is important (and is next on my list), but should not prevent us from protecting users from mixed content we can identify and can block for users today.

For developers trying to secure their websites by removing mixed content, these false negative edge cases could prove problematic and cause extra work.  The last thing a developer wants to do is attempt to remove mixed content on their site for Firefox 23, and then have to do this again in Firefox 24 because of an edge case that was fixed and that the developer wasn’t aware of the first time around.  In an attempt to help with this problem, I have an added an Appendix to this blog post that will describe all the open edge cases and open questions with reference links where developers can learn more about the progress in resolving these known issues.

Thank You

Thanks to all the Mozillians that have helped me with this feature.  Special shouts out to…

Olli Pettay (smaug)
Brandon Sterne (@bsterne)
Larissa Co (@lyco1)
Ian Melven (@imelven)
Sid Stamm
Brian Smith
Justin Dolske (@dolske)
Gavin Sharp (@gavinsharp)
Matthew Noorenberghe
 

Couldn’t have done it without you :)

Footnotes

[1] Unless the authentication cookies are flagged with the secure bit, preventing the browser from sending the authentication cookies for non-HTTPS requests.

[2] To block Mixed Passive Content, open a window or tab in Firefox and enter about:config.  You will get to a page that asks you to promise to be careful.  Promise you will be, and then change the value of security.mixed_content.block_display_content to true by double clicking it.

[3]  In Firefox 23+, Mixed Active Content is blocked by default.  If you are using a Firefox version between 18 and 22, you can block Mixed Active Content by opening a window or tab in Firefox and enter about:config.  You will get to a page that asks you to promise to be careful.  Promise you will be, and then change the value of security.mixed_content.block_active_content to true by double clicking it.

Appendix – Edge Cases Described in Detail

Note that this section is highly technical and has a lot of gory details, so feel free to skip over it unless you are interested, want a sneak peak at forthcoming Mixed Content Blocker changes that may affect your site, and/or are a browser security junkie like me :)

    1. Redirects
      If an HTTPS content load responds with a 302 to an HTTP destination, the Mixed Content Blocker in Firefox will not detect or block the mixed content.  This is because of the way that Gecko’s Content Policies work (or don’t work) with redirects.  The work to fix this edge case can be found in Bug 418354 and Bug 456957.
    2. Session Restore & document.write
      Assume an HTTPS page loads an HTTP script that invokes a document.write that replaces the current page’s content.  If the browser is shut down and later the session is restored, the user will see the content from the document.write that replaced the original webpage.  This would be okay, except that instead of showing the yellow warning triangle, Firefox 23 shows a lock.  This is inaccurate, because the page’s new content was created by an HTTP script and hence cannot be considered fully encrypted.  The work to fix this issue can be found in Bug 815345.
    3. Object Subrequests
      Assume that an HTTPS page loads an HTTPS object in a plugin.  That object may then request further resources through the plugin.  The requests made by the plugin are considered the object’s subrequests.  Since the requests are made by a plugin and not by the browser, it is very difficult for the browser to determine whether the HTTP subrequests should be considered Mixed Active or Mixed Passive.  Without help from plugin vendors, browsers cannot accurately determine this classification.  To prevent false positives and security warning fatigue, Firefox (and Chrome) have classified HTTP object subrequests as Mixed Passive Content.  This means that we do have false negatives, where the content is actually active and should be blocked, but isn’t.

      The solution to these false negatives is still under discussion.  Take a look at Bug 836352 and chime in if you have some suggestions!
    4. Relying on HSTS to prevent Mixed Content
      Websites can specify an HSTS header that tells browsers to only connect to them over a secure connection.  Assume https://example.com sets this header (and for simplicity sake, assume example.com is not on the HSTS preload list).  A developer, relying on HSTS, includes HTTP content from example.com on https://foo.com.

      Firefox will convert the http://example.com link to an https://example.com link before making the network request.  Hence, technically, the user’s security is never affected.

      Currently, the Mixed Content Blocker will detect the http://example.com link before it is converted to HTTPS by HSTS and classify the content as mixed content.  I believe this is fine.  Relying on HSTS to protect websites from mixed content loads is bad practice, for the following reasons.

      • If this is the first time the user has loaded content from example.com, the content will be loaded over HTTP since the browser has not yet received and HSTS header from example.com
      • For browsers that do not have HSTS implemented (ex: Internet Explorer), https://foo.com will have mixed content, since the request for content from http://example.com is never converted to an HTTPS request.

      Perhaps you disagree?  Express your thoughts in Bug 838395

    5. Mixed Content in Framed Pages
      Assume https://unimportant-site.com includes an iframe to https://bank.comhttps://bank.com contains Mixed Active Content that Firefox blocks.  The user has a choice to “Disable Protection on This Page” and load the Mixed Active  Content on https://bank.com.  As we mentioned earlier, most users don’t know what frames are.  The user see’s that they are on https://unimportant-site.com and can decide to load the mixed content on https://unimportant-site.com by clicking “Disable Protection on This Page”.  To the user, “This Page” is https://unimportant-site.com, but in actuality, the result is that protection is disabled on https://bank.com.

      Bug 826599 discusses whether users should even have an option to disable protection on HTTPS frames.  The bug is to remove the UI to Disable Protection if the mixed content is coming from an HTTPS frame with a different domain than the top level domain.  What do you think about this?

In addition to the items listed above, there are also many other issues remaining to improve the Mixed Content Blocker.  You can see here for a list of items and corresponding bug numbers.

Categories: Browser Security

371 responses {+}

  1. anon wrote on :

    The link to https://youtube.com is broken (it accidentally includes a closing parenthesis in the URL)

    Reply

    1. tvyas wrote on :

      Thanks for letting me know! I’ve fixed the link.

      Reply

      1. asdf wrote on :

        Some bugzilla links also have a “)” at the end!

        Reply

        1. Tanvi wrote on :

          Thanks! I think I’ve fixed them all now.

          Reply

  2. Kovu wrote on :

    Veeery insidious stuff. Good job and thanks for your work helping lock down some of these rather quite alarming “holes.”

    Reply

  3. Confused wrote on :

    Why fonts are considered active content?

    PS: clicking “Submit” got me a warning about unencrypted connection, heh.

    Reply

    1. tvyas wrote on :

      We went back and forth a lot when it came to fonts (see https://bugzilla.mozilla.org/show_bug.cgi?id=62178#c165, https://bugzilla.mozilla.org/show_bug.cgi?id=62178#c175, and https://bugzilla.mozilla.org/show_bug.cgi?id=62178#c176). A MITM’ed HTTP font could change the contents of the page (so that the page looks completely different than was originally intended or says something completely different), but fonts do not have DOM access. Since a webpage won’t break if we block an HTTP font (a default fallback font will be used) and since mixed content fonts are rare (or at least we think they are and will find out for sure once we have telemetry for mixed content), we decided to put fonts in the Mixed Active category and protect our users from mixed content font loads.

      One of the reasons we can’t turn Mixed Passive Content blocking on by default is because the web is not ready for that and too many pages would break. Since blocking mixed fonts won’t break the web, we decided to block them by default by putting them into the Mixed Active Content category, even though per definition they should fall into the Mixed Passive Content category.

      As for the Mixed Content warning you get from hitting submit to enter a comment, thanks for letting me know about this! blog.mozilla.org uses http:// links instead of https:// links, but is an HSTS site. So it falls into the “Relying on HSTS to prevent Mixed Content” category – the requests you make get converted to HTTPS before they ever hit the network, so you are technically safe if you using Firefox or Chrome (and if this isn’t the first time you are visiting a blog.mozilla.org page). However, this is a bad practice and we have a bug open on blog.mozilla.org to fix this (https://bugzilla.mozilla.org/show_bug.cgi?id=855399).

      Reply

  4. Transcontinental wrote on :

    Excellent in-depth article. Thanks.

    Reply

  5. Paranoid wrote on :

    This makes it sound as if Firefox will tell me everything was served over HTTPS in a few cases where something came over HTTP. Is that the case? Or does the Mixed Content Blocker “failing to block” something just mean I get the non-HTTPS UI?

    Reply

    1. tvyas wrote on :

      I think what you are asking about is Mixed Passive Content. If an HTTPS page has Mixed Passive Content, it will not be blocked by default. The lock icon will disappear and instead the user will see a globe (there are discussions about changing the globe to something else, but they are just discussions right now). You can block Mixed Passive Content by going to about:config and changing security.mixed_content.block_display_content to true (as described in Footnote [2]).

      Reply

      1. Paranoid wrote on :

        My comment was not very clear on this point; sorry. I was wondering about the false negative edge cases, particularly because you say they “affect the safety of our users” which makes it sound as if they’re worse than they were before.

        Reply

        1. tvyas wrote on :

          The false negative edge cases listed in number 1 and 2 in the Appendix were not blocked before Firefox 23 and continue to load on HTTPS pages today. Users aren’t any worse off in Firefox 23 because of them, but they are not protected from them yet.

          For “false negative” number 3 in the Appendix (object subrequests are categorized as Mixed Passive when they might actually be active content types), in Firefox 18-20 object subrequests were categorized as Mixed Active Content. So if a user set the about:config preference to block Mixed Active Content in FF 18-20, these requests would have been blocked and then allowed in FF 21+. However, the feature was still a work in progress at that point and FF 18-20 had no user interface to Disable Protection.

          Reply

  6. Pingback from Mixed Content, Modern Browsers, and Principle of Trust | Grio Blog on :

    [...] Security Engineer (you can find her on Twitter @TanviHacks) talking about mixed content and Firefox 23. It was awesome and refreshing to read that modern browsers are amping up security. A few weeks [...]

    Reply

  7. Lloyd wrote on :

    Would you consider content in sandboxed iframes to be mixed passive content?

    Reply

    1. tvyas wrote on :

      Hi Lloyd,
      This is a good question that I had not considered before. A sandboxed frame that does not have permissions for allow-scripts, allow-top-navigation, and allow-forms may cover all the security issues that push frames into the “Mixed Active” category.

      However, iframe sandbox is a fairly new concept and doesn’t have a huge presence on the web yet (as far as I know. We block mixed content fonts (as described in a previous comment) even though they are technically “Mixed Passive” content. Since they are new and won’t break the web, we’d rather block them by default up front and move closer to a web where we can block all Mixed Content. In the same way, I think we shouldn’t add an exception for sandboxed iframes right now. If I am wrong and we find that the web is full of mixed content sandboxed iframes, then we can revisit this decision. Make sense?

      Reply

      1. Jerome Eteve wrote on :

        That would be great if sandbox’ed iframe were considered passive mixed content.

        Consider the following use case:

        You have an https://cm.bla.com/ interface for a content management system to publish to an http://bla.com/.

        Now let say https://cm.bla.com/ wants to show an iframe of http://bla.com to allow the user to check his edits quickly.

        embedding http://bla.com in a sandbox’ed iframe is, from the user’s experience perspective much better than having to click an extra link.

        Hope this will make it to the roadmap :)

        J.

        Reply

        1. Tanvi wrote on :

          Hi Jerome,

          If the sandboxed iframe did not have access to script, would your use case still be satisfied? In order to treat sandboxed iframes as passive we’d need to 1) not allow forms, 2) not allow top-navigation, and 3) not allow scripts. The first two aren’t so bad, but without scripts a lot of iframed content won’t function. See bug https://bugzilla.mozilla.org/show_bug.cgi?id=903211 for details on why these restrictions would be required.

          Reply

          1. Ralph Lindenfeld wrote on :

            iframes containing scripts are not passive, but from a logical perspective if they’re coming from the same root URL I can’t imagine a scenario where one group in an organization would be creating malicious content to target another of the organization’s URLs.

  8. Jordan Arentsen wrote on :

    Is there any way to create a whitelist of sites that you trust? It’s extremely annoying with sites like Vine, etc.

    Thanks!

    Reply

    1. tvyas wrote on :

      We don’t have a whitelist mechanism. Mixed Content is blocked on a per-page load basis. “Disabling Protection” and allowing the content is hence also per-page load.

      Reply

      1. Ray Satiro wrote on :

        I’ve filed a feature request for that here: https://bugzilla.mozilla.org/show_bug.cgi?id=873349

        Reply

      2. Joshua Bowman wrote on :

        This is so annoying, and shouldn’t have been pushed even to Aurora without an easy whitelist mechanism that allows you to add a site with the same click you unblock with. If it gets to beta (to say nothing of production) like this, the backlash will be pretty furious. That there’s little to no interest in the whitelist request above, to the point of not even adding it to the wiki page, is just sad and shows seriously misplaced priorities. In the meantime, I’m just going to turn it off and try to let other people know how.

        Reply

        1. AJW wrote on :

          So, how do you turn it off?

          Reply

          1. AJW wrote on :

            Actually, figured it out quickly.

            1. go to about:config
            2. find security.mixed_content.block_active_content
            3. toggle it off

          2. Mitch wrote on :

            Where is the “About” tab so I can turn this feature off?

          3. Tom wrote on :

            There is no “off” on a PC — do you mean “false”?

          4. Tanvi wrote on :

            Yes.

        2. Svea wrote on :

          I can’t believe this really has gone live without a whitelist feature. The only way to get around this is to turn it off completely – not a very clever way to implement a new feature!

          Reply

          1. Tanvi wrote on :

            The request for a whitelist feature, along with it’s pros and cons, is being discussed here https://bugzilla.mozilla.org/show_bug.cgi?id=873349

          2. David Konatowski wrote on :

            Good feature. Thanks for the about:config help. Whitelist by domain is essential.

      3. JamesGM wrote on :

        Another vote for “how could this have gotten through beta”???
        If you frequently use a trusted web site with mixed content, all this does is add extra work and annoyance: NO added security.

        And if you are trying to deliver content in a situation where you are forced to use mixed content, you are unable to deliver to the huge masses of people who just won’t know what is going on. A tiny shield appearing in the address bar is virtually invisible to the average user.

        Reply

        1. blindfish wrote on :

          Agreed! All this talk of wanting to avoid “security warning fatigue” yet you’ve produced a tool that by design induces it within 5 minutes of navigating through a single site :/

          We were affected by content blocking at work (our CMS editing interface blocking a lot of content when editing content) and our more web-savvy users didn’t all spot the shield icon and had no idea why things were breaking (maybe a pop-up is required the first time it’s encountered to draw attention to the functionality?).

          When they did figure out what was going on some quickly discovered they could disable this feature via about:config; and did so; since there’s no site whitelist option. I’m holding off from upgrading: was hoping the backlash would lead to this issue being resolved promptly. If not I’ll also choose to manually disable it.

          Should a whitelist option be added in future you will need to force the feature back on and make users aware that they can now whitelist sites; rather than leaving it disabled and exposing them to security risks elsewhere…

          Reply

  9. Qoo Qooer wrote on :

    I am testing Aurora with the about:config flag enabled.

    I’ve noticed in Gmail a lot of the HTML newsletter have their contents blocked due to the img link hardcoded to http://.

    It seems to me that if this is enabled by defaulty, a lot of email newsletters will be broken. Is there a workaround?

    Reply

    1. tvyas wrote on :

      Mixed Content images are allowed by default in Firefox 23+ because they are all over the web. Blocking these will break many pages, which is why Firefox does not block Mixed Passive Content by default.

      Gmail has Mixed Content images that a user can enable/disable through the gmail website. (There is a note on top of emails with HTTP images that says “Images are not displayed” with options to “Display images below” and “Always display images from xxx@yyy.zzz“.) Setting the about:config pref on your own to block mixed passive content (security.mixed_content.block_display_content) will block these images permanently.

      Reply

      1. ELizabeth wrote on :

        I agree, add a whitelist now or disable this mixed content blocking. You are breaking many pages we need to access. It is too cumbersome to go through this multi-click process to enable a page, time after time.

        Reply

  10. Simon wrote on :

    I’m already having warning fatigue; can we turn off this feature?

    Reply

  11. Daniel wrote on :

    Is there a way to disable this “feature”? It is insanely annoying, and I feel if it ever gets pushed to firefox it will result in a lot of people leaving for another browser. Many popular websites, like nytimes.com or xkcd.com, are being blocked.

    Reply

    1. Tanvi wrote on :

      We have contacted the nytimes and xkcd. For the nytimes, going to https://nytimes.com actually redirects you to http://nytimes.com, implying that nytimes isn’t ready for users to visit their SSL site. https://www.nytimes.com is missing the redirect.

      Note that users will also experience problems on Mixed Content sites in IE and Chrome, since they also have a Mixed Content Blocker.

      Reply

      1. MeToo wrote on :

        Actually both https://nytimes.com and https://www.nytimes.com are broken in Firefox 23. This sucks. How do we disable this feature?

        Reply

      2. Colleen wrote on :

        I use ArcGIS’s online webmaps for work and they’re now rendered completely useless due to this feature. We’re being forced to use Internet Explorer in the interim, much less safe.

        Reply

  12. Felix wrote on :

    Is there a way to exclude URLs with custom protocols from the block? I created an addon which injects (user generated) content into web pages and uses iframes with a custom protocol (defined via nsIProtocolHandler) to prevent access from the page to the iframes (same-origin policy). But now the custom protocol is blocked as “Mixed Active Content “.

    Reply

    1. Tanvi wrote on :

      Hi Felix; we use nsIProtocol Handler flags to determine whether a protocol is safe to load: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsMixedContentBlocker.cpp#288. What is your custom protocol? Perhaps we can add the appropriate protocol handler flag to make this work. How is the data for the iframes retrieved? If you are worried about same-origin policy, you could also try using iframe sandbox (http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/).

      Reply

  13. DONTMAKEME DOIT wrote on :

    While I tremendously appreciate the intent and difficult work that is going into this feature to protect people, it appears that the way this feature was rolled out without a white list or pattern matching for pages is another case of “we know better than you what you should do”. I do not think it was done on purpose, but the result is the same practically.
    First, it should be easy to disable this feature on a site by site basis, and also easy to disable from a global perspective. Since it was known by the team that very numerous site were going to cause problems because of non compliance, a reasonable remedy for users should also have been provided until the field starts complying to new standards. Granted, to bring change, one need to put incentive, put not at the expenses of users, and not in such a way, this is just ridiculous.
    Second, contrary to what you may have expected, the warnings are absolutely not obvious to see at first. I wasted so much time tracking this issue on the nytimes at first, and I am a very educated user.
    Something similar to in page warning would be much more appropriate (at least, give us a choice).
    Third, is more of a question, thinking of the nytimes, does the page display really has to be degraded to such a level to protect the users (it may need to be or it may not, I am thinking of how adblock at first was totally messing up pages when removing adds).

    Reply

    1. DONTMAKEME DOIT wrote on :

      BTW, because of this, I have now disable nytimes in the https-everywhere list, which in essence achieve the exact opposite goal of what was intended with this feature…

      Reply

      1. Tanvi wrote on :

        nytimes doesn’t seem to support https for it’s users. When you go to https://nytimes.com you are redirected to http://www.nytimes.com. When you go to https://www.nytimes.com, you aren’t redirected and the CSS is served over HTTP (so it is blocked). This may be a bug with nytimes, where they intended to redirect users to the http version of their site, but they missed the redirection for https://www.nytimes.com.

        We’ve tried contacting nytimes to alert them of this issue, but haven’t gotten a response – https://bugzilla.mozilla.org/show_bug.cgi?id=862164. Note that https://www.nytimes.com doesn’t render properly on IE or Chrome either.

        Reply

        1. Tanvi wrote on :

          Users who have HTTPS Everywhere installed will have a much more broken experience, since the addon upgrades sites to HTTPS that may not be ready for the upgrade. We are working with HTTPS Everywhere to help mitigate this issue. https://bugzilla.mozilla.org/show_bug.cgi?id=878890
          https://trac.torproject.org/projects/tor/ticket/9196

          Reply

          1. DONTMAKEME DOIT wrote on :

            I have found many other sites since then that as you said cause problem with combination with HTTPS Everywhere.

            Since the world is obviously not complately ready for this, how about an easy way to switch on/off……?

  14. Mike Diack wrote on :

    Needs a whitelist desperately. About half of the websites I’m visiting (even reputable stuff like MSDN) are now broken due to this “improvement”.

    This feature is currently very jarring, and is now so invasive, I’m doing much more of browsing in IE – which I’d previously not used in months, but this has totally screwed up the user experience.

    IMHO it needs a means of allowing the user to:

    1) Whitelist the site (either for this session – i.e. until firefox.exe terminates or permanently)
    2) Optionally to anonymously forward the site details to mozilla who can then centrally manage, filter and pass out requests to the site owners to fix their sites.

    Reply

    1. John J wrote on :

      Second on the whitelist. Our CMS uses https frames with a preview frame. All that works fine — but within the preview frame are links to http content, and the links are blocked. That is to say, users can’t get OFF the https frame via a link to an http frame. Ideally, that wouldn’t happen — but a simple whitelist would let us get around it while you work out the kinks.

      Reply

      1. Tanvi wrote on :

        Hi John! Thanks for your comment. Can you elaborate or provide an example of the bug? You areon an HTTPS page with an HTTPS frame. Is the problem that:
        1) When you click to navigate the HTTPS frame to HTTP, the navigation fails. This is expected because it introduces Mixed Active Content on the HTTPS page. You should see the same behavior in IE and Chrome 29+ (which comes out in late July/early August).
        2) When you click on an HTTP link within the frame that is supposed to open in a new tab/window, it fails to open. This is a bug, and I actually think I fixed this bug in Firefox 22 (https://bugzilla.mozilla.org/show_bug.cgi?id=841850)

        Reply

      2. Andrew B wrote on :

        I second John’s request to whitelist certain domains. We have a similar issue with our CMS where the admin console is hosted on a HTTPS page with the preview iframe being (usually) HTTP hosted content. I don’t have the ability to modify this behavior and thus have to allow the display of mixed content on every preview.

        Reply

        1. Tanvi wrote on :

          The bug to persist the “disable protection” decision has been patched and is going through review (https://bugzilla.mozilla.org/show_bug.cgi?id=902156). We plan to land this and uplift it to Firefox 24. This should help alleviate the pain you are experience on your admin console.

          Reply

  15. Maryloup wrote on :

    Hello,

    How do one gets rid of it? It disturbs me ! For the same site must unlock every time again and every time I click to unlock it reloads the page and it created bugs in my game that is already full like that without adding. I do not need that, I know where I click and I would like the option to disable it once and for all, thank you

    Reply

    1. tonfold wrote on :

      im agree with you, its verry very wasting time…

      Reply

      1. Come on wrote on :

        The intention was good but the application is silly. There are literally tons and tons of website out there that are unsafe according to mixed content, so what do firefox do?

        It automatically block these content. Really convenient, then everytime we stumbled upon a new website that is in HTTPS but has a link to a HTTP embeded youtube video, we have to click the shield button. Sigh.

        Why cant you use introduce whitelist???

        The worst thing is it is by default, turned on for new the firefox. I had to search high and low for something that is breaking the page due to the new updates. What about the average users????!

        Just swallow your pride and admit that this forced-to-use-inconvenient-feature-for-the-masses is not working, tweak it by adding a whitelist, or ability to turn it off. It’s not making a good impression when an average joe user is able to surf his favourite forum that has embeded youtube using CHROME, but FIREFOX the video links are all broken

        Reply

  16. musakkarul wrote on :

    i think this have a false alarm,
    because my usuall forum in indonesia, this site “www.kaskus.com or http://www.kaskus.co.id
    is always blocking all of page,in reality that site is completely safe, and is very disturb me because i should always change per page to disable to open it, because all of that content stopped/blocked.
    can you help me to change the setting or maybe put the site in whitelist?
    thanks

    Reply

    1. Tanvi wrote on :

      The problem is with the SSL version of the site (https://www.kaskus.co.id), not the HTTP version (http://www.kaskus.co.id). Are you using the HTTPS everywhere addon?

      The purpose of blocking Mixed Active Content is to protect against network attackers (Man-in-the-middle and eavesdroppers). Even if you completely trust the site you are visiting (ex: kaskus) and trust their servers, you are still vulnerable to network attackers.

      For this reason, I’ve been debating whether or not a whitelist makes sense. I could whitelist a site and feel comfortable with the risks associated with “Disabling Protection” while browsing at home. But would I feel comfortable with the risk if I was browsing at an Internet Cafe? On the other hand, this distinction is not something an average user understands. And perhaps providing a whitelist feature is better than users disabling the feature all together because their favorite website has this security issue.

      We are also trying to identify sites with this security issue and alert them so that they have an opportunity to fix this for their users (https://bugzilla.mozilla.org/show_bug.cgi?id=844556). Please tell us about more sites that cause this security and usability issue.

      Reply

  17. pm wrote on :

    Jesus christ, you morons, it marks Wikipedia as unsafe. Come on, let me turn this thing off.

    Reply

    1. Tanvi wrote on :

      We haven’t gotten any reports about issues on the SSL version of wikipedia. I just browsed the site, looking for Mixed Content and I can’t seem to find any problems. Can you direct me at the exact page where Wikipedia is marked unsafe?

      Reply

      1. Ramesh Single wrote on :

        Look out for ecoswarm.com. Their whole website is down because they are on https and majority content that they link to is http.

        Reply

  18. fffffffffffffff wrote on :

    Oh god. What the heck did you do. Now it tells me that Wikipedia is unsafe. WIKIPEDIA for pete’s sake!

    Reply

    1. Tanvi wrote on :

      We haven’t gotten any reports about issues on the SSL version of wikipedia. I just browsed the site, looking for Mixed Content and I can’t seem to find any problems. Can you direct me at the exact page where Wikipedia is marked unsafe?

      Reply

      1. Sam wrote on :

        Half of the sites on the web I use are triggering this. It has convinced me to move to Chrome.Firefox is getting as anal as IE.

        Reply

        1. Tanvi wrote on :

          As of October 1st, Chrome’s stable release also blocks mixed content iframes and you will likely experience the same issues.

          Reply

    2. Eric wrote on :

      Why do you assume that wikipedia is safe? Safe sites don’t use mixed content.

      Reply

    3. Brett wrote on :

      I think the firefox guys do a great job. But this is an example of “protecting” people from lions by putting a bag over thier head and putting them in a cage with the lions, and not by actually seperating of the lions from the people, by the use of some sort of clever electronic? fence.

      Making people “safe” by p**ing everyday users off and forcing them to use a less secure browser to see whatever site does not work for them, is not “safe” at all, it’s actually making the internet much less safe. Do you want people using whatever MS$$ default browser and/or unpatched they have with the OS, often not patched for the latest security flaws (as it was previously unused) ?

      For those that dont see the miniscule warning icon, and there is no obvious “disable for this site” functionaily, they will just try whatever OTHER browser they have, and if it works they’ll do that. Bad.

      The ui functionality should be the same as an “untrusted” certificate (which is still annoying but at least the purpose and functionality is clear), you get a bit of static text that this is a potentially dangerous website., etc., if you dont know what this is, click here to exit or here to trust this site.

      This silent hiding of active content is counter to the use cases for all other functionality in firefox.

      And no i dont see adding a tiny 16x16px warning ans being any sort of notification. At the very least it is not noticable given the real estate devoted to other content, at worst is disadfvangages people with vision empairments or even those that need reading glasses – and are not wearing them. If the page text is larger for this type of user, then the icon wont get any more noticable.

      I f a regular user goes to a website with mixed active content, and have a static (local) ui page explaining why that is bad, and maybe links to explanations or how it can be fixed or ignored, and give the option to ignore / accept for the current website.

      If you mark a website as trusted (for active content), then you should not be prompted again. If there are frames, then all the sub-frames hostnames that will be “trusted” by such a ui validation process should be explicitly listed with checkboxes near them (default tick), in the case there is a sub-frame that should not to be trusted.

      Most of all, saying that the user should complain to the website author to fix thier site, it a cop-out of the highest order. So people can’t use the internet, until the world complies with mozzilla-imposed security rules ? There are large parts of the internet, where content trumps technical savvy. And these sites are frequently pretty interesting, these are the sites that will suffer the mozilla “ban”.

      Reply

  19. Moo wrote on :

    Notifying is fine. Blocking is just annoying.
    Likelihood of actual attack attempt which would actually be prevented by this, especially when using adblock and trustworthy websites, nowhere near significant enough to warrant annoyance of false positives.

    Reply

  20. Anthony Cameron wrote on :

    I don’t think that HTTPS sites that include Mixed Passive Content should have no SSL icon entirely. They’re still primarily encrypted (and all that differs is the inclusion of some resources, like user uploaded images) and I’d prefer to see something like Chrome’s lock icon with a Slash through it. Or a yellow lock icon.

    Reply

    1. Tanvi wrote on :

      We have a bug open to change the icon for mixed passive content – https://bugzilla.mozilla.org/show_bug.cgi?id=865352. Right now, the proposal is to use a grey triangle with an exclamation point and I hope to write code that makes that change soon. From what I recall, our UX team is weary of icons that include both positive and negative indicators (like a lock with an x through it), and hence we’ve steered away from those types of icons. I encourage you to provide your thoughts on the bug.

      Reply

  21. Cinnamon wrote on :

    1) Can you explain this through a Youtube demo video. Am sure it will have many views (as a pay-off and partner advertising fees).
    2) When can we expect a per-tab “no Javascript” button? I suggest adding it to the right-click action on a tab.
    Thanks for the Network feature in Developer tools.

    Reply

  22. Sorb wrote on :

    So now we have a lock, a yellow warning sign and a globe and they are all related to SSL but they have NOTHING in common. Yeah that’s a great way to confuse people, congratulations.

    Reply

    1. Tanvi wrote on :

      Yes! It is confusing. And I want to change it. The lock should mean that the user has a full SSL experience. The yellow warning sign should indicate that the user has loaded mixed active content and compromised the integrity of the website. The grey warning triangle will indicate that the mixed passive content is present on the page. Although risky and not fully secure (and hence no lock), not as bad as mixed active content (in yellow). Finally, if the page is http, the user will see the globe. If you have suggestions on how the UX for this can be improved, please comment on bug 865352 (https://bugzilla.mozilla.org/show_bug.cgi?id=865352).

      Reply

  23. ep wrote on :

    Each time I disable it, it comes back again next time i go back to the same place.
    How do I turn off this feature permanently?

    Reply

    1. Tanvi wrote on :

      The blocker can only be disabled per page load right now, but I’m working on a bug to make this persist while you are on a particular domain (https://bugzilla.mozilla.org/show_bug.cgi?id=902156). The feature can be turned off through about:config.

      Reply

  24. rachel wrote on :

    Hi, Can you help? With Firefox 23 blocking sites that have mixed content, it is blocking a shopping site. I clicked icon and and disabled it which worked fine, however every reload/refresh causes it to be blocked again, as well as every time I go into site. There needs to be an option to allow a site. This is a grocery web site. I understand the risks and all, but I need the site to work properly.

    thank you!

    Reply

    1. Tanvi wrote on :

      The blocker can only be disabled per page load right now, but I’m working on a bug to make this persist while you are on a particular domain (https://bugzilla.mozilla.org/show_bug.cgi?id=902156). In the meantime, the grocery website (which you probably enter your credit card info on) is vulnerable to a man-in-the-middle attack. If you could contact them and let them know about the issue, perhaps they can fix your usability issue and secure their site at the same time. Thanks!

      Reply

  25. David wrote on :

    I want to be able to turn this feature OFF permanently on my https ‘homepage’ as the lnks in it become inactive with it turned on… and it’s a real pain having to turn it OFF every time i load the page!! It’s a trusted site with mixed content.

    Reply

    1. Tanvi wrote on :

      Mixed Content attacks are network attacks, and don’t have anything to do with the trustworthiness of the actual web servers hosting a website. What page are you experiencing problems with? I encourage you to contact the website and ask them to fix their security issue.

      Reply

      1. David wrote on :

        It’s OK. I’ve switched Browsers and all is OK now. Farewell FF

        Reply

  26. TheThirdEye wrote on :

    how can we turn off this feature?

    Reply

    1. Tanvi wrote on :

      The feature can be turned off through about:config pref security.mixed_content.block_active_content.

      Reply

      1. Erika wrote on :

        What does that mean? “about:config” I don’t know where that is. Is there a way to turn this off for the average user? Or a tutorial to figure out what this “about:config” thing is? My WORK website no longer works. I have to flip through a new page every 2 minutes and I do NOT have the time to disable protection *every*single*time*.

        Reply

        1. Tanvi wrote on :

          Chances are your work website doesn’t work on IE or Chrome either (who also have this security feature). It would be great if you could let your work know about the security issue with their website.

          You can go to about:config by opening a new tab and typing in about:config. More details are in footnote [2] of this blog post. https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2

          Reply

          1. Ramesh Single wrote on :

            That’s a lame excuse to blame IE and Chrome. Because everyone is ruining the experience doesn’t mean you should too.

  27. michelle wrote on :

    Hi! There is a grocery site I use that is being blocked due to mixed content. Once I unblock, it will block again when certain functions on the site are used, such as refresh. Some of the sites functions are also refresh, but is necessary. The review order button for example is a refresh.

    So while working on an order this site will be blocked numerous times. I have called the company and there is nothing they can do about it. They have people still on dial up and aol browsers. What I believe Firefox needs to give us is the ability to allow the site totally and permanently, not just until a refresh. I tried adding it to exceptions in security but of course that didn’t work because it’s not an attack site. Just wondering if Firefox can add the function to allow sites permanently.

    Thank you for listening!

    Reply

    1. Tanvi wrote on :

      Hi. Thanks for your comments. It’s unfortunate that the grocery website isn’t able to fix the issue and secure their site. In the meantime, we are working on persisting the decision to “Disable Protection” while you are navigating through a specific domain (https://bugzilla.mozilla.org/show_bug.cgi?id=902156). There are also discussions going on about whether or not it makes sense to implement a whitelist mechanism for users to always allow mixed active content on specific sites (https://bugzilla.mozilla.org/show_bug.cgi?id=873349).

      Reply

  28. Zach Bailey wrote on :

    As the product owner of a product that has a lot of CMS features (content building) where the backend has to be secure but the content that our customers are building (emails, landing pages, forms, etc) is not, this has now broken a large portion of our site for Firefox users.

    This is because our backend enforces https (yay) but serves content previews off a separate domain using http. So, the iframe doesn’t render.

    OK, make the iframe https – that’s not too hard. Oops, now all the content in the iframe is jacked up because the javascript and stylesheets are wanting to load via http.

    So, now I have to figure out how to https-proxy every single resource a customer’s content might want to load and make sure that’s loading over https, otherwise their pages are going to look wrong or not work correctly. That’s a terrible experience. And it’s firefox’s fault.

    PLEASE PLEASE PLEASE give firefox users a way to add a site to an “exclude” list, or do something smart with iframe sandboxing. If we could simply send a response header or add an attribute to our preview iframe, that would be grand.

    Thank you for listening.

    Reply

    1. Tanvi wrote on :

      Hi Zach,

      Thanks for your comment! Changing the restrictions on Mixed Frame blocking for sandboxed frames has crossed my mind, but I thought it wasn’t a common enough use case. Perhaps that would be a good solution for websites that host a lot of third party content that they can’t control.

      Framing third party content (aside from mixed content) has the potential to be malicious and compromise your users. What if the third party distributes malware by including javascript that tries to exploit a plugin vulnerability to gain access to a user’s machine? To the user, it will appear as if the malware was hosted on your site, not the third party you framed. For this reason, some larger sites proxy third party content and use the proxy server to run certain security checks on the content. Instead, the website could decide to sandbox the third party frame. Unfortunately, most sites will require the “allow-scripts” option to function properly and hence we’re back to square one in terms of security.

      When discussing the threat posed by Mixed Content frames specifically, there are a few reasons why the frame is considered Mixed Active instead of Mixed Passive – top level navigation, disclosure to sensitive information through forms, and the ability for the frame to run script (that can cause the malware installation described above). So perhaps an HTTP sandboxed iframe without allow-top-navigation, allow-forms, and allow-script could be considered Mixed Passive Content (and not blocked by default) instead of Mixed Active Content. I filed a bug for this and welcome discussion (https://bugzilla.mozilla.org/show_bug.cgi?id=903211).

      There is also a discussion about whether or not to incorporate an exclude/whitelist in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349.

      Note that portions of your site are likely broken on Internet Explorer (which also blocks frames). And Chrome 30+ will also block mixed frames. As far as I know, neither of these browsers have an “exclude list”. Hence, even if Firefox implements an exclude list, you may still need to find an alternative solution for your users that use these other browsers.

      Reply

      1. Gruff wrote on :

        But Chrome 30+ does not disable embedded Youtube videos….. I guess Google would feel the financial implications!

        Reply

        1. Tanvi wrote on :

          If the youtube videos are embedded over HTTPS, they will not be blocked. If they are embedded over HTTP, they will be. Here is an example: https://people.mozilla.com/~tvyas/mixedyoutube.html

          Reply

      2. David wrote on :

        ACK! This new “feature” completely ruins my online course system. I use a lot of embedded iframes from sites I don’t control! This is a disaster for me and my students who use Firefox. I really hate it when developers think “this won’t be a problem for me, so I’ll assume won’t be a problem for any of the millions of people that use this software on a daily basis.” Give me a break.

        Reply

  29. Petr wrote on :

    Oh my God!

    Reply

  30. D wrote on :

    How can I disable the mix content blocker? It is too obtrusive and if there is no solution, I will have to switch browsers. A trusted website may require every page to through several clicks in order to see the full page.

    Reply

    1. Tanvi wrote on :

      The security feature can be turned off through the about:config pref security.mixed_content.block_active_content.

      Reply

      1. Dan wrote on :

        Could you please elaborate on how this can be done. I am not a computer programmer but I am handy enough to follow instructions. This is greatly affecting my company and being able to use Firefox with Salesforce.com with my Call Center solution.

        Reply

        1. Tanvi wrote on :

          This is the second complaint about salesforce I’ve seen. If you could contact them and let them know about their security issue, that would be great. I will also try and contact them.

          Reply

        2. Stewart wrote on :

          In the browser URL, type about:config
          in the Search field of the resulting confirmed window, type security.mixed and double click on the security.mixed_content.block_active_content to set the value to false

          Reply

      2. Michael wrote on :

        Switching off protection against all sites is too drastic though.
        Surely there should be an option to “trust” certain sites as providing mixed content in the same was as IE allows for Trusted Sites.
        Mixed content is not ideal but it can be tolerable under controlled circumstances surely.

        Reply

  31. Mario Spezziga wrote on :

    I spent a lot of time building javascript gadgets for my google web site, which uses htpps. Now everything is useless, because most of my users won’t go through the pain of turning on the active content every time, or even know they should.

    Can you suggest me a way out of this? How can I rewrite everything or solve the problem without giving up interactivity? I am aware that other browsers are going in the same direction (google chrome itself now does the same thing!).
    Thank you

    Reply

    1. Tanvi wrote on :

      If your javascript gadgets use HTTPS, then there shouldn’t be a problem. The problem would be if you are on an HTTPS page and your gadgets try to include javascript over HTTP.

      Reply

  32. Trian Karayiannis wrote on :

    And out of the blue our sites don’t work… WTF?

    I hope our users start Googling around for an answer, like I did (and I’m the developer). Luckily this is only an internal tool that loads the Google Maps API “unsafely” :|

    You could have handled this in a little classier manner, like warning users about the change or the blocking. If I hadn’t seen your screenshots in this article, I would never have noticed. All I saw was FireBug throw all kinds of errors all over the place.

    Thanks a lot,

    Reply

  33. Michelle wrote on :

    Hi Tanvi! I wrote above about the grocery website. Thank you for your replies! A few things: the areas that firefox blocks is not in the account area where people enter credit card etc, because that does not have mixed content.

    I am only a customer there, but as regards this website, any new customer coming to that site using FF 23, will be blocked and just leave (most likely), unless they realize why. I am thinking there should be something (like a pop up, but not a pop up), that tells the person why this site is blocked. The very quiet little icon there did not impact me to even think to click on it and see that submenu about it being blocked.

    Only reason I noticed the icon is I searched the net and finally found old article about firefox blocking mixed content in future. I happened to know from years ago when first using the grocery site that it had mixed content, otherwise don’t know how long it would have been before figuring out what was wrong and seeing what to do.

    So, something significant to get the users attention as to why the site is being blocked, such as Firefox has for attack page, or something like that, with directions on what to do.

    The other thing I wanted to mention is that this grocery website will have to do something drastic to not lose new customers, and to lower the frustration of the firefox shoppers, and I can see them totally just never working to be sure site continues to work with firefox, and so forcing people to use IE. So, the security enhancement firefox is trying to help us with can end up making us less secure in the end.

    One question:

    You wrote: “The security feature can be turned off through the about:config pref security.mixed_content.block_active_content.

    Is that something I can do to permanently shut this function off? I ask that because in posts above that one somewhere, you had written is nothing can be done.

    Also, can you give the link to directions to change that in about:config if it s a permanent stop to the blocking.

    Tanvi, I just want to thank you for this blog and this topic. Thank you for caring and your help!

    Blessings!

    Reply

  34. James wrote on :

    How do we permanently disable the Mixed Content Blocker?

    I am finding that the Mixed Content Blocker combined with the HTTPS-Everywhere plugin is screwing up the New York Times home page. To make things worse, Firefox is not remembering the “Disable Protection on This Page” setting from one visit to the next. This makes visiting the New York Times website to be a huge hassle.

    The Mixed Content Blocker is simply not ready for prime time. Until Firefox is fixed so that the “Disable Protection on This Page” setting is remembered from one visit to the next, I would like to disable the Mixed Content Blocker completely.

    Reply

    1. James wrote on :

      I found my answer in the footnotes. about:config -> security.mixed_content.block_display_content = false.

      The ideal longer-term fix is for Firefox to remember the “Disable Protection on This Page” setting on successive visits to a given web page.

      Reply

  35. torvista wrote on :

    This “feature” wasted a lot of mine and my hosting services time figuring out why a long-working page would not load. So, the “warning” is easily overlooked. Surely an explanatory pop-up (that can be disabled in the pop-up) when mixed-content is blocked is the obvious thing.
    No whitelist…unbelievable!

    Reply

  36. Penny wrote on :

    Though I do not understand all of this, I found out the hard way. I work transcription jobs on Amazon Mechanical Turk, mturk.com. A couple days ago every job I loaded would come up with a blank screen. These loads involve pulling up some audio, so I think that’s why the block occurs. It took me a long time to figure out to right click on the grey shield, as it is very quietly hiding on the browser bar. I can disable, yes, but I’m reloading the page every 2 minutes or so all day long. I must disable each time.

    I see I can go into about:config, but I really don’t feel comfortable messing around in there. I’m just a regular computer user. First off, I might mess something up and not be able to correct it. Secondly, then I’m turning this so-called protection off on every site, and so I’m unprotected overall.

    Please give us a way to turn this off per site. Thank you!

    Reply

    1. Tanvi wrote on :

      We have a bug on the mechanical turk issue and have notified them of the security issue (https://bugzilla.mozilla.org/show_bug.cgi?id=892810). It would be great if you could also alert them.

      We are working on a bug that will help alleviate some of the issues by persisting the preference the user chooses while they are navigating a particular domain (https://bugzilla.mozilla.org/show_bug.cgi?id=902350).

      There is also a bug that discusses whether or not to implement a per domain whitelist. Feel free to provide your feedback and suggestions there (https://bugzilla.mozilla.org/show_bug.cgi?id=873349).

      Reply

  37. Digitalus wrote on :

    The security feature can be turned off through the about:config pref security.mixed_content.block_active_content.

    well at least this is still able to happen, because really you should not have implemented this feature as a mandatory thing, and at the very least provided a PERMANENT disable button in the UI, not this temporary disable thing, because the temporary disable is virtually useless on every single webpage/website in the entire internet, since all pages have there own refresher timer now, plus it seems that you guys have been putting FF on its own refresher timer thing for every single tab you have open.

    so because i like to NOT have to log in every 5 mins into my email username i am now forced to go into the config and turn this thing off, because basically i hate it. if i myself wanted a feature like this i would have gotten the appropriate add on.

    i do like that you guys want to help us with things like this though, but please when you make stuff like this, give your users AS MANY OPTIONS AS POSSIBLE! like a permanent disable button with out having to go all the way to the damn config.

    Reply

  38. fabio wrote on :

    What about FF sending automatically a mail to domain owner of broken sites?

    Reply

    1. fabio wrote on :

      This is not a great idea, but you could at least send the list of broken sites from FF to a Mozilla DB to gather some statistics and from here send mails to domain owners.

      Reply

  39. Dick Boland wrote on :

    “How do you inform the user about a potential security threat without annoying them and interrupting their task?”

    You don’t, you just go ahead and turn the thing on and leave them no control to turn it off so that the repetitive task they are working on involves three extra clicks through through a gigantic pop-up cascade to get to the point where they can choose one of 2 options. Certainly you don’t want to allow the dumb user to be able to turn it off for a specific page they trust, but rather force them to click through the ridiculously overwritten cascade of unfolding pop-ups each and every time – no that won’t be annoying or disruptive to their tasks – god forbid the 2 clickable options should appear on the initial pop-up bar – no, it is much better to force the user to click the pop-up bar to bring up the gigantic pop-up window, so that they can scroll across the screen to the opposite corner where they can click a small button to bring up a third pop-up that actually contains the 2 clickable options.

    You have just made FireFox completely and fully annoying and disruptive and useless to me. To boot, Now the videos I must review start and stop and pause and buffer because of whatever inefficient or hoggy memory or processor intensive code you are running for the protection of the dumb users is choking down my bandwidth. I have not had any bandwidth problems for 2 years until yesterday.

    And I feel certain that any other browser is THE ONLY SOLUTION available to me, so Firefox is now perfectly secure on my machine because there is no point in even starting up the program.

    Reply

  40. Jay wrote on :

    I’m glad to know how to defeat it. Every time the front pages of nytimes.com or boston.com refreshed, I had to click to disable the protection. If I hadn’t found this instruction, I would have switched to Chrome despite my long-term preference for Firefox. You need to provide a way to whitelist a site.

    Reply

    1. Tanvi wrote on :

      Note that the HTTPS version of nytimes.com and boston.com are also broken on Chrome and IE who’ve had this feature for a long time. We’ve tried contacting both companies. You would find yourself with the same experience if you switched to Chrome.

      The discussion about providing a whitelist mechanism is in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349. Feel free to add your feedback and suggestions there. Thanks!

      Reply

  41. Billy wrote on :

    Wow. Remember when Firefox was introduced as the lean and fast alternative to the bloated hog the old Mozilla browser had become?

    I wanted a web browser, not a nanny. I spent twenty minutes trying to figure out why websites weren’t loading before I found that stupid shield you hid next to the url bar. Please give users an easy way to disable this latest internet-breaking “feature.”

    Reply

    1. Michael Nguyen wrote on :

      No kidding! What in the world are you guys doing? Why does all software always devolve in this direction?

      Reply

  42. Sam wrote on :

    In sites like Marketo or other marketing automation software, this new change blocks content from loading rendering it impossible to design landing pages because you can’t see the design properly. Can you work with companies like Marketo to address this?

    Also, instructions in comments above said to go to About–>Config to disable this. I cannot find that option if Firefox? How do I disable this feature for all pages?

    Alternatively, how do you disable it on a page-by-page basis rather than disabling it entirely?

    Reply

    1. Tanvi wrote on :

      We have gone through the Alexa Top 1000 and tried to find sites that have this security vulnerability. For a number of them, we have contacted them. You can see a bunch of that worked tracked from this bug (https://bugzilla.mozilla.org/show_bug.cgi?id=844556). It would be great if you could find a contact at Marketo and let them know about their security issue.

      See footnote [2] for instructions on how to get to about:config. If you want to turn this feature off, you need to set the security.mixed_content.block_active_content preference to false. https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2

      There is a discussion on whether or not to allow this feature to be disabled on a per-page basis (with a domain whitelist) in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349. Feel free to add your feedback and suggestions to that bug. Thanks!

      Reply

  43. mark wrote on :

    Hi how do i stop this block happening on the sainsburys website,it is very annoying i use the website to do my weekly shop,and am getting fed up with having to keep unblocking it every time i use the site.
    Each time i log in i have to unblock the site twice on ecch visit.

    Reply

    1. Tanvi wrote on :

      A mechanism to whitelist a particular site is being discussed in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349. Please feel free to provide comments there. Thanks!

      Reply

  44. Walt wrote on :

    Hello, is there any way to disable the mixed content blocker permanently for particular sites so that we do not have to manually disable it on every site visit?

    Thank you.

    Reply

    1. Tanvi wrote on :

      A mechanism to do that is being discussed in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349. Please provide your thoughts there. Thanks!

      Reply

  45. Robert Johnson wrote on :

    This reminds me of something that my mother would do as a child. I am not a child nor do I want to be treated as a child. Get rid of this nanny BS!!!!!!!!!!!!!!!!

    Reply

  46. Patrick wrote on :

    We have a lot of intranet sights where I work. All of our procurement, computer and phone repairs, pretty much everything is done on-line. Without a white list I have to unblock virtually every sight I visit, which could be way over 30 each day. To say this is frustrating is an understatement, but since FF thought it was a good idea to roll this feature out without a white list, I’ve decided that Google Chrome will work better for what I need. I’ve used FF for years and loved it, but now you’re a huge pain in my ass. See ya.

    Reply

  47. MRL wrote on :

    How can I disable all content blocking in Firefox permanently? It prevents me from doing my job by consistently blocking internal website pages at my company – every time I access one of them, I have to select “Disable Protection on This Page,” even when I backtrack to pages I’ve previously given permission for. It’s hugely irritating and detrimental to job performance. I will abandon Firefox if it’s not possible to disable this tool.

    Reply

    1. Tanvi wrote on :

      We are working on making this persist as you navigate through a site: https://bugzilla.mozilla.org/show_bug.cgi?id=902156

      Reply

  48. John Cena wrote on :

    You are Kurt Angle and you suck !

    Reply

  49. Notahappycamper wrote on :

    Tanvi,

    Unfortunately my company will need to begin moving thousands of our clients over to google chrome as the lack of a whitelist feature is preventing them from using our site. This is unfortunate, as we have been pulling clients to mozilla for years. I understand the need to enhance security, however, not including a whitelist feature is asinine and will cost you thousands of users from my company alone. Do the smart thing and create the whitelist feature.

    Reply

  50. Rudi wrote on :

    I’m going to add my voice to the many here calling for the addition of a whitelist feature ASAP on both a sessional (temporary) and permanent basis. I’ve resorted to turning this feature off in the meantime because it’s just so ANNOYING on sites that I already trust. I’m sorry; I know your intentions were good, but I don’t think the time and effort were put in to thoroughly implement this in order to minimize the negative impact on the end-user!

    Reply

    1. tgentry wrote on :

      Is there a way to disable this entirely? I’m working in a sales program and you’ve just tripled the time to do my job. I can’t find any way to disable it expect one page at a time. If I can’t disable this feature I’m going to have to use Chrome.

      Reply

      1. Tanvi wrote on :

        You can disable it through the about:config setting security.mixed_content.block_active_content (as described in footnote 2 for display content). This is a way to disable it globally. We are discussing a way to disable it per site with a whitelist (https://bugzilla.mozilla.org/show_bug.cgi?id=873349) and also working on persisting the “disable protection” choice a little bit longer (https://bugzilla.mozilla.org/show_bug.cgi?id=902156).

        Reply

        1. David B wrote on :

          For me and I guess a lot of people Tanvi’s post might as well be written in Chinese.

          Can we have a pointer in big capital letters that says ‘you can turn this feature that stops you accessing poker tournaments that you have paid for off by pressing this button’ and then a button?

          My poker works in Chrome, and if it doesn’t work in FF within a day or so then I will be unenstalling FF.

          David

          Reply

          1. Tanvi wrote on :

            Chrome is soon going to block mixed content iframes too (Chrome 30). So you poker website will soon break in Chrome, Firefox, and IE. Perhaps you could let the website know about the issue and ask them to fix their security hole.

          2. David B wrote on :

            I sent a couple of mails to Sky Poker via their help system but they are not in my sent file. Just told them of my problems on their live chat thingy. They just recommend using IE

            Want simple white list button for dummies like me!

            David

  51. Fabel wrote on :

    Can you make it so I can permanently allow some things. Most people that will allow things through this are complete idiots and know whats safe or not. It’s extremely annoying to have to keep temp-allowing Google Calenders ot other forums widgets when i need to check something

    Reply

  52. Likeyn wrote on :

    This makes some of my daily bookmarklets like FlexibleNav (http://greweb.me/flexible-nav/demo/) completely unusable on forced-HTTPS websites, like https://support.skype.com/ . The idea’s good, but we need its implementation either to be smart enough to guess what’s dangerous and what’s not or to provide decent options for it. I’d personally prefer the latter.

    Reply

    1. Tanvi wrote on :

      Bookmarklets that introduce mixed content to HTTPS sites are blocked. Try updating the bookmarklet to source the https version of the script (if it exists). To chime in on the discussion on what to do for the bookmarklets case, see bug https://bugzilla.mozilla.org/show_bug.cgi?id=886663.

      Reply

  53. John Rahndy wrote on :

    I am never so harsh, but you literally destroyed our website that serves foreign content in iframes. Mozilla has made this feature without giving any thoughts of the after effects, you ignored iframes, sandboxed iframes, whitelists, and on the top it doesn’t even remember the unblocking for the session.

    Has Mozilla skipped all QA for this feature !

    I see people have been posting against this since the Aurora, I just wonder how this made to the release ! Somebody is gonna lose his/her job.

    Reply

  54. Ivan wrote on :

    TLDR – if you have an issue with the mixed content blocker that you plan to solve by going to another browser, then you are missing the point. And yes, other browsers support this too.

    I have been reading these comments and I am very amused by some of the stuff that people are saying. Most of the negative comments don’t make any sense either. I have the following question to all of the people that threatened to leave firefox for IE, or Chrome, how exactly is that going to solve your problem? Can you please explain this? The blog post clearly states that both Chrome and IE already support some degree of mixed content blocking. Chrome is moving to stricter control too. Moving to another browser is not going to solve your problem.

    Further, you are missing the big picture here. The problem isn’t that the browser doesn’t render some dingy little unheard of website – the OP already stated that mozilla has worked with Alexa’s top sites, so it should be a very rare occurrence that this is an issue in the first place.
    The problem is that your dingy little website doesn’t care about your security on the web, or the engineers did not design it correctly in the first place.
    The way things move forward in this world is by someone – an individual, or an organization taking a stance and trying to improve the current state of affairs. A lot of security on websites is laughable – as you’ve noticed. A lot of engineers don’t design things correctly. How do you expect things to improve, if the problems aren’t visible in the first place? Is it better for the problem to be fixed, or hidden from our views? Which do you prefer?

    The offending party here and the one you should go and complain to are these websites that need fixing, not mozilla, not google, not microsoft.
    What you are effectively doing is penalizing the messenger for the bad news.

    Did you actually follow through and read the referenced bugs on bugzilla that were posted by the OP? I did. After doing so, I felt relieved that so much prior thought was put in by the engineers and UX team at mozilla. Is this a controversial issue? Yes, it is. Is it going to inconvenience us for some time before websites get their act together? Yes. Is it going to be for the better in the long run? Yes. Can we please get off of our high horses and accept that some inconveniences are acceptable as long as there is a long term desirable goal?

    I was wondering why a whitelist approach is not a good idea too. I read the replies, read the bug numbers and I changed my mind. This is not the right approach to solving this. The problem is not the Mixed Content Blocker. The problem is the bad websites.
    The OP gave you two work arounds – if it’s a page you visit rarely and are willing to take the risk that was explained in the original post – click on the shield. If you like living dangerously then go to about: config and disable this. And no, don’t ask how to do this again, the OP posted the same freaking url multiple times. Reading comprehension is not illegal .. yet. Thanks for reading :-)

    Reply

    1. Foolish Ivan wrote on :

      @Ivan There are several use cases when one might need to embed foreign content, like sandboxed iframes. But know what, this even blocks the sandboxed iframes.

      If sandboxed iframes were to be blocked, then why in the world was sandboxing introduced to HTML5 ?

      There are several websites I know, that solely have a task of embedding foreign content. How in the world a user using my CMS and trying to embed a foreign script know, why their pages stop working. How in the world can i force everybody to use HTTPS because we are on HTTPs and they are trying to embed their HTTP content in our HTTPS pages.

      Reply

      1. Tanvi wrote on :

        There is a discussion about allowing sandboxed frames in bug https://bugzilla.mozilla.org/show_bug.cgi?id=903211. In order to reduce the risk of mixed content frames, a number of the sandbox attributes cannot be set on the frame. In your use case, do you need to set the allow-scripts option for the framed content to function correctly?

        Reply

  55. Tim Hall wrote on :

    Is there a way that you can detect that content has been blocked with Javascript?

    Reply

  56. Chris M wrote on :

    This desperately needs a per-site whitelist. It is blocking the navigation popups on every Wikimedia wiki that is not Wikipedia, and really should not have been put into production without both this and a simple opt-out in the GUI. This very article notes the web isn’t ready for you to roll this out – yet you went and rolled it out!?

    I have wasted a good hour now trying to figure out why features don’t work that used to, only to find that yet another organisation has decided that they know better what their users want than they do and inlcuded alpha features into production releases.

    I don’t have time to wait for every page to reload every time I need to actually use it, so I’m turning this feature off. What a good way to improve your users’ security

    Reply

    1. Tanvi wrote on :

      Hi Chris,
      It would be very helpful if you could provide a wikimedia url where you are experiencing this issue. Thank you!

      Also note that the post says that the web is not ready for us to turn off mixed display content by default. Mixed display content is still allowed.

      Reply

  57. coffee-turtle wrote on :

    Great proactive work guys!
    However, I would like to have a way to exclude certain domains.

    Reply

    1. Tanvi wrote on :

      We are discussing a whitelist feature for domains in bug https://bugzilla.mozilla.org/show_bug.cgi?id=873349. We welcome feedback on that bug.

      Reply

      1. BillD wrote on :

        That is ABSOLUTE UNADULTERATED BULLSHIT!

        What IDIOT would implement something like this and NOT have whitelists and other NEEDED and OBVIOUS features????

        There are MANY people (“developers”) at Mozilla that seriously need to be FIRED.

        Reply

  58. ookami wrote on :

    I have two major cases affected by this feature, which both are scripts made by me, for me, and never used by anyone else.

    #1: a bookmarklet which loads a JavaScript from my (http) website and creates a context menu with various functions to handle images and web searches

    #2: a Greasemonkey script which loads a Japanese dictionary search on Google+ and Facebook when I select text and click a button. The result is loaded in an iframe over http.

    If I understand correctly, my options are either making my site use https and asking the dictionary site do the same, or disable mixed content blocking. I have no intention of using https on my site just because of this, and I don’t even know how to do it. The site has nothing else that would require SSL. Therefore, I disabled mixed content blocking. I hope that possibility won’t be removed from about:config.

    Reply

    1. Ivan wrote on :

      if you have an http web page, this doesn’t affect you.

      Reply

      1. ookami wrote on :

        My script is at an http site, but I add it to an https site. So yes, this does affect me.

        Reply

  59. Chuck wrote on :

    Can I turn off this shitty “feature”?

    Reply

  60. BAhador wrote on :

    Hi… For Facebook, youtube and Other Sites i used Proxifier (Acc Max) But For Useing This, I terned Off SSl 0.1 In Firefox…When i Update my Firefox To 23 Thats Tabe Is goan…And I can’t Find Ssl 0.1 For tern off… I Can’t Use My Proxy any more…What i Can to do ???in firefox 23 Can i Tern Off my Ssl 0.1 or not

    Reply

    1. Tanvi wrote on :

      This sounds like a different issue that is not related to the Mixed Content Blocker.

      Reply

  61. Bob Nicholson wrote on :

    This is garbage. Suddenly common websites stopped working. And no, I did NOT notice the little shield icon, until I’d wasted a lot of time reloading pages, restarting my browser, etc.

    All I want to know is, how do I turn this off, permanently? If I can’t I will be switching browsers.

    Reply

  62. Suresh Chari wrote on :

    STUPID, ANNOYING IMPLEMENTATION. I have a dropbox page that I created, inside which I have frames and iframes where I load content from wiki pages that I maintain in my own domain. All of a sudden, these embeds have turned BLANK because of the blocking. Further, I have links that point to other such pages, where THE BLOCKING HAPPENS *EVERY TIME* I CLICK ON THE LINKS, even if I have used the UI to turn off blocking. EVERY FRIGGING TIME – WTF??

    STUPID, absolutely STUPID.

    Reply

    1. Tanvi wrote on :

      We are fixing the persistence issue you are experiencing in bug https://bugzilla.mozilla.org/show_bug.cgi?id=902156. It should land sometime this week and get uplifted to Firefox 24.

      Reply

  63. David B wrote on :

    It just cost me some money because I couldn’t open my table in the on line poker site I use,

    The allow feature in ur just closes the window.

    Really, really, hacked off

    Reply

  64. Josh Davis wrote on :

    This is frustrating. New features forcibly turned on without a way to turn them off. “disable” link doesn’t really work. For example, go to a website over https, and then use a javascript applet, such as amazon’s wish-list add… it is blocked as unsafe. I can’t mark it as safe, and if I click on the security button and say to “Disable Protection on this page”, it stays broken, because disabling protection on that page forces a page reload, which resets “protection.”

    So basically, because of all of the layers of fear everyone has over Javascript, we’re turning FF into IE, where most everything fails to run because it’s safer. That’s fine, as long as I have the option to completely disable this new ‘protection’.

    Reply

    1. Tanvi wrote on :

      We are fixing the persistence issue you describe in bug https://bugzilla.mozilla.org/show_bug.cgi?id=902156. It should land sometime this week and will get uplifted to Firefox 24.

      Reply

  65. Telma wrote on :

    FIrst off, I’m a pretty basic user so I don’t necessarily understand most of this stuff.
    What I did experience though is this, and it was annoying to say the list.

    I run many scripts (ten or so) via greasemonkey to skip ad pages, get direct links and whatnot. Today I found out, even if I got FF23 since a couple days I think, that it wasn’t working on a website (flickr). I took me a while to discover this tiny new icon on the left of the address bar. Once I disabled the protection the scripts were running smoothly. The thing is, I have to turn the protection off on every single page of the same website, everytime. It doesn’t make sense.

    As I said I’m no expert, but can’t this new feature, which I understand should be for our own good, recognize user scripts, scripts installed by the user in FF, perhaps trough greasemonkey, or something like that, so that it doesn’t block my own scripts?

    That’s basically what I like about FF, it allows for so much customization, but not so much now.

    Reply

    1. Tanvi wrote on :

      The issue were you have to disable the protection on every single page is being fixed – we have a patch and are going through reviews; should land sometime this week and get uplifted to Firefox 24. https://bugzilla.mozilla.org/show_bug.cgi?id=902156

      I agree that custom scripts are very useful. But a user introducing a HTTP script on an HTTPS page carries the same level of security risk as a the website itself including the HTTP script. Because the script is over HTTP, it is vulnerable to a man-in-the-middle attack and compromises the integrity of the page and your security while using the page. Note that the issue here is a network attack, not an attack on the website’s servers. Hence, we do not differentiate between the two. If you can update your greasemonkey scripts to source the HTTPS version of the scripts, that should solve your problem.

      Reply

  66. florian wrote on :

    Hey Tanvi,

    What would be the best suggestion if you need to communicate with localhost?

    I do have one particular use case where a small API server runs on localhost, and my users are using this API from a webpage on my website. Used to work fine before this new settings and disabling the mixed_content blocks for the whole Internet sounds like a bad idea.

    Let us know!

    Reply

  67. si wrote on :

    The grey symbol does not exactly leap out ! I spent hours trying to work out why I couldn’t see some iframed content !

    Why don’t you generate a warning message ?

    Si

    Reply

    1. Ivan wrote on :

      Hello si,
      This has been implemented and currently in reviews. You can find out more about it here: https://bugzilla.mozilla.org/show_bug.cgi?id=875456

      Reply

  68. Pat Cartier wrote on :

    Please , just don’t !!! Get the F**/ out of my browsing / i’m switching back to explorer ! So long modzilla !!!!!!!!!!!!!

    Reply

    1. Pat Cartier wrote on :

      Moderate that all you want , you have just messed with browsing experience for the last time anyways }; /

      Reply

    2. Tanvi wrote on :

      Note that explorer also blocks mixed active content.

      Reply

  69. Harald wrote on :

    Got to this point getting more and more impatient since nobody seemed to be willing to support Tanvi and the FF team involved (btw: don’t know whether I’d be able to state things over and over again in this dispassion – admirable, Tanvi!). Many thanks, Ivan! Whitelisting wouldn’t help on this kind of security issue. End of story. It would only help to weird sites being able to stay weird (and to prevent users being dependent on these sites from getting insane, of course).

    For all of you bashing Tanvi / FF: I conceive that security can be anoying. But if this (security) obviously is not a thing for you: why the hell don’t you just turn this feature off at all (or: why are you using firefox??)? Why are you blaming someone intending to do his best for us this ugly way?!

    For all of you unhappy / dissatisfied with this little shield: This is much more substantial (for my point of view). I know users that even overlook the “would you allow ff to forward to this page”-bar (don’t know the original english phrase). Such users never ever will notice a lock changing to a shield or a globe or anything, definitely. But I’ve no idea at all what to present how and where instead, unfortunately. UI is one of the most crucial things in developing software, this is for sure!

    Reply

  70. Sarah wrote on :

    I made some tests and faced some strange behaviours.

    I have a frame (https) and opening an url (ftp) with window.open() works fine. But when I do an ajax-call before opening the same url, no site is opening and also no error message displayed.

    example:
    function mytest1(){
    window.open(“ftp://user:pass@mydomain.com”,”test”); // works
    }

    function mytest2(){
    $.get(‘any_ajax_url’, {id}, function(data) {
    mytest1(); // fail
    }

    I am 100% sure that within mytest2 my ajax call is working and mytest1 is called, but nothing happens afterwards.

    Can anyone help? Is that a firefox bug?

    Reply

  71. kevinraymund wrote on :

    Hi! eversince firefox made changes to their Mixed Content Blocker, our app on facebook will not load anymore. We are using this app to get reservations for our would-be enrollees. our app site is https://apps.facebook.com/sodreservation/ Is there a way we can go around this so that our viewers/would-be enrollees don’t have to click that “shield icon” of yours especially those who are not technicall savvy? Please advise the soonest on what to do.

    Reply

    1. Tanvi wrote on :

      Looks like you are iframing an http page within an https page: http://davaohub.com/raymond/sodreservation/. If you update this link (and the links embedded within it that point to google’s recaptcha) to HTTPS then your app will work on IE, Firefox 23+ and Chrome 30+ without the user needing to click on a shield or security warning to disable protection.

      Reply

  72. Jocelyn wrote on :

    I would like it if the disable feature would work for domains. I use a Marketing Automation platform that enables me to edit landing pages and other content on my website via an https site. The pages I’m editing are pulling http templates so they “look and feel” like my regular website.

    If you could make the disable feature permanent for domains users select (e.g. domains they trust), then that would solve a lot of the issues that folks are having with this rollout.

    Reply

  73. Dave Kidd wrote on :

    Hello, is it possible to turn this off? We use a video hosting service that allows us to embed our videos the same way YouTube does. But now, FireFox blocks the embedded videos on our Google Sites. Is it possible to turn this off?

    Reply

  74. Lynn wrote on :

    I turned it off. It insists on blocking a lot of the content on the university website I use for my work. That’s not happening.

    Reply

  75. Tommy wrote on :

    We use Blackboard as Learning Management System. Our Blackboard server sits on our premise behind an F5 load balancer, and the F5 box offloads SSL. So our users browse to the Blackboard URL and it’s HTTPS, although the origin server is just HTTP. That works fine, no problems. Then we also use course content that’s provided by external course providers, such as Class.com and Aventa Learning. Their content is hosted on their servers, and it’s over HTTP. This is one of the reasons that we’ve suggested to users over the years that they use Firefox instead of Internet Explorer (among other things). The ability to display mixed content without annoying the user or having to give them too many step by step instructions is important. You may consider this a nice feature, but we consider it another annoyance. Users are now being encouraged to use Google Chrome. It just works. I would suggest that the user interface that you present when you block mixed content be a little more ‘in the face’ of the user so they know what’s going on without having to look for that little shield, which no one so far has noticed. At least IE pops up with that yellow bar. Then when the user interacts with you, allow them to disable mixed content checking for anything embedded in pages from our sites (they can specify the domain), and let them opt to disable mixed content checking altogether. We’ve gotten along just fine through 22 versions of Firefox without this feature.

    Reply

    1. Tanvi wrote on :

      Directing your users to Google Chrome will only work temporarily. Chrome 30+ will also block mixed content iframes because of the security risk that they pose.

      If we were to allow mixed content sandboxed iframes, would this meet your needs? We are debating adding an exception for sandboxed frames that cannot navigate top level, include forms, or run script in bug https://bugzilla.mozilla.org/show_bug.cgi?id=903211. We’d love to have some developer feedback to see if this would be useful.

      Reply

      1. Tommy wrote on :

        Chrome may add the same feature with version 30, but there’s a pretty good possibility that we’ll be able to administer the new settings through Group Policy and our Google Control Panel. Hopefully we’ll be able to disable the feature or at least push out a white list. Anything that’s embedded in pages whose parent is our own domain should be allowed ideally.

        The mixed content sandboxed iframes could do it. As long as the scenario that I described works at the end of the day, I’ll be happy.

        Reply

  76. ricardo wrote on :

    i like the idea but can u fix it for this web sight sportsbook.ag since it does work but then once i click on another sport it askes me again to unblock it and it gets anoying it should only ask u once when your on the page and once u unblock it it should let u be on it like before

    Reply

    1. Tanvi wrote on :

      This will be fixed with bug 902156 that should land this week and get uplifted to Firefox 24.

      Reply

      1. lasvegas wrote on :

        “i like the idea but can u fix it for this web sight sportsbook.ag since it does work but then once i click on another sport it askes me again to unblock it and it gets anoying it should only ask u once when your on the page and once u unblock it it should let u be on it like before”
        Have you fixed this because I get the same problem with the website http://sportsbook.ms . Does that have something to do with both being sportsbooks? Sportsbook.ag and sportsbook.ms have similar content.

        Reply

        1. Tanvi wrote on :

          The https version of sportsbook.ag and sportsbook.ms don’t seem to exist. The former redirects me to the http version and the latter has a cert error. Disabling protection on a domain will persist across that domain for that tab. If you switch to a different domain, the persistence is gone. https://bugzilla.mozilla.org/show_bug.cgi?id=902156

          Reply

  77. BillD wrote on :

    This has COMPLETELY f**cked me.

    I have a local LAMP server setup with a .JS library that I load with bookmarklets, which then call the function in the library to do what I want. It makes it much easier on me instead of having a bunch of unreadable JS code in a bookmark.

    For example, if an image happens to be on HTTPS:, which for some “stupid” reason sites like Facebook are doing, among others, then it is now blocking the load of my library and the bookmarklets do not execute! (to manipulate the image in whatever way I want)

    If they were going to do something like this, you should have taken certain scenarios into account, like allowing local file servers to override the blocks via a setting or something. (and DO NOT tell me to enter a BUG fix or something, because that is one of the most fruitless things a user can do — just look at the Firefox bug system and it’s a joke how many there are, and how few actually get fixed and worked on)

    This is just typical of the short-sited (long-sited claimed) crap that the “developers” at Mozilla are doing that is causing Firefox to become a crap browser. People are already leaving Firefox in droves, and the complaints have increased in quantity in extraordinary numbers from what they were just a few years ago. (someone at Mozilla needs to be fired)

    Reply

  78. tgentry wrote on :

    Sorry, I can’t wait any longer. Going with Chrome.

    Reply

  79. Judi Hauck wrote on :

    I work a number of HITs on Amazon Mechanical Turk that are purposely set up with “mixed content.” I can, of course, click off of this blocking, but I have to do it EVERY TIME a new HIT with that same setup loads. Is there any way that I can turn this off just for AMT?

    Reply

    1. Tanvi wrote on :

      This issue should be resolved by the fix to bug 902156 (https://bugzilla.mozilla.org/show_bug.cgi?id=902156), which will land this week and get uplifted to Firefox 24. This way, you should only have to hit “disable protection” once while you are using mturk.com and can go through multiple hits. When you close the tab or navigate away from that domain, the protection is reset. Also note that we’ve tried to contact amazon about this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=892810

      Reply

  80. Tim Hochgrebe wrote on :

    TURN IT OFF !!! – or give us an option to disable is.

    Our website uses mixed content on a number of pages and it would be super hard to get this changed. All our used details and shopping pages are FULLY secure. Problem lies in other areas.

    Reply

    1. Tanvi wrote on :

      Do you use secure cookies? Mixed active content on in your other HTTPS pages can steal these cookies (secure or not) and compromise your users’ accounts.

      Reply

  81. Alan Cockerill wrote on :

    It has stuffed Blackboard’s use of a CMS for subject readings. Very frustrating for our students (and our IT support)

    Reply

  82. Pat McGroyne wrote on :

    Most annoying feature EVER in a browser. I understand the desire for security, as well as the risks. If I wanted something that had almost zero inherent risk, I would throw my computer in a river and then lock myself inside my house forever.

    Reply

  83. Paul wrote on :

    Dear Tavi,

    How does come to you the idea to block bookmarklet in FF and make it a way what it is not optional?
    How to avoïd mixed content blocking?
    What suggestion you propose to us who had extend their web experience?

    My confidence in FF and FF/OS is very eroded.
    Thank you.

    Reply

  84. Rebecca wrote on :

    I set my homepage for buzzfeed and ever since my firefox updated, buzzfeed, wikipedia, and other sites I’ve used has suddenly become unreadable to me. Googled the problem and found out about the security that new firefox implemented. Although I appreciate the sentiments of the developers, I had to turn off the security /anyway/ by going to about:config because it was just a headache clicked the shield icon and then “do not block” Every. Single. /Time/ I clicked “homepage” during the same session.

    Google Chrome actually offers the same feature. However, unlike firefox, I just disable it once and buzzfeed will work perfectly for that entire session. Please think about doing a whitelist.

    Reply

    1. Tanvi wrote on :

      The persistence issue you mention is being fixed in bug 902156. It should land and get uplifted to Firefox 24 this week.

      If you could give me an example wikipedia/wikimedia site that blocks mixed content, that would be very helpful! I have tried to reproduce the issue on wikipedia and either get a fully encrypted website or get an HTTP website. You aren’t the first person to complain about wikipedia, so I’d really like to get to the bottom of this.

      Reply

  85. Wendy wrote on :

    What Mozilla didn’t consider was learning management systems and how we have to embed code for a video into it. This new security feature is a problem as we now have to tell students to allow for every time they visit a page that has embedded material. We have been suggesting Firefox for years now and will have to start using Chrome instead.

    Reply

    1. dean wrote on :

      This is so true, and we are running into the same issue at our institution. Mozilla’s approach seems to be not well thought-out, as users do not even receive a notification if content is blocked. The page is just blank. As many things developed by engineers, the focus on user experience is lacking.

      Reply

    2. Mike wrote on :

      It does appear that Mozilla did not account for students using learning management systems when they built this feature. By institutional policy we absolutely must deliver mixed content to our users (a secure LMS and some non-secure video servers). So a white list would be a perfect solution for us.

      I believe that academic institutions have always been an important gateway for generating new Firefox users. From the day Firefox came out we have been recommending it as the most trouble-free browser for learning management systems. But as of today we will start telling students to avoid Firefox because it has no white list feature.

      Reply

    3. David wrote on :

      This has messed up my students as well. I can’t ask all of my students to switch browsers or to change settings. The warning is also WAY too subtle for them to notice something is being blocked. The space of the iframe should be filled with a warning that says “Content here is being blocked. [continue blocking] [allow remote content].”

      Reply

  86. Mike wrote on :

    I have blogs from Blogger installed in a Google sites website, so that I can post updates via email, which an announcements page on Google sites does not allow. Sites is HTTPS, Blogger is HTTP. Google does not provide an automated way to incorporate Blogger into Sites so I use an iFrame gadget.

    If you allow Sandboxed iFrames everything should revert to normal if I add the code. Otherwise, I can go back to announcements and do it manually :-( Calling Sandboxed iFrames passive gets my vote!!

    Reply

    1. Tanvi wrote on :

      Would a sandboxed iframe without the ability to run scripts, navigate the top level domain, or include forms work for your purposes?

      Reply

      1. Mike wrote on :

        You imply I know what I am talking about :-). I have a Blogger blog (HTTP) embedded in a Google Sites site (HTTPS) using a Google sites iFrame gadget. I don’t know if Blogger needs to run any of the things you suggest. I was going to add Sandbox=”” to the iFrame code in the gadget. I know it won’t work at the moment but if you did allow this it would should start working again.

        I appreciate all you guys are doing, but sometimes these sorts of things catch out those that aren’t following the technical discussions that go on. Technically, it is Googles fault either because they haven’t made Blogger HTTPS or because their announcements function in sites doesn’t allow email updates. But then since they provide these for free, I can’t really complain. There are probably a lot of people like me who are using these tools and don’t realize that changes such as these to browsers will affect the user experience. I understand the security implications well enough to see why you are doing it, but …

        Reply

  87. Dre wrote on :

    I am doing development on sites that invoke the content blocker.

    Since there is no whitelist feature, you have now destroyed the UX of Firefox for dev.

    So, even though I would otherwise prefer to use Firefox/Firebug, you’ve just forced me to switch to Chrome.

    Badly done.

    Reply

    1. Tanvi wrote on :

      Perhaps you should consider fixing the mixed content on your site. It is a security issue for your users. Chrome also has a Mixed Content Blocker. Chrome’s implementation is also getting stricter and will be blocking mixed content frames in Chrome 30+.

      Reply

  88. sylvia wrote on :

    Most annoying feature EVER in a browser. I am going back to using IE because I cannot deal with tweaking each page in SFDC just so I can do my job…

    Intentions were good but someone didnt think this through!

    Reply

    1. Tanvi wrote on :

      We fixed the persistence issue you describe in bug 902156. It will be in Firefox 24 and up.

      Reply

    2. Jeff wrote on :

      You can always install V 22 until V 23 is fixed.

      Reply

  89. Melissa Koenig wrote on :

    We are having a horrible time with content being blocked in our learning management system. (and I would second, third…. the statement that the icon is not obvious the pages just look broken and there is nothing to indicate that something has happened)

    Firefox has been our preferred browser as up until last week it has “played” best with content our instructors place in their courses – with the changes in Firefox 23 most of the content is no longer working (unless it is native to the learning management system).

    For example, youtube embeds are always going to be iFrame, hat is what they give you (all blocked), our videos are currently Flash embeds (also blocked) and any links that leave the learning management system (going to news sites, government sites, etc) are also blocked.

    Would love to have the ability to tell Firefox to “trust” the referrals that come out of our learning management system but there doesn’t seem to be any way to do this. Honestly this is going to be a nightmare from a support standpoint once classes start in the fall – we are running out of browser options that are both supported by our vendor and don’t unnecessarily block content.

    Reply

    1. Tanvi wrote on :

      Youtube videos do not have to be blocked… all youtube content is also available over https. You just need to update your HTML source to replace “http://youtube.com” with “https://youtube.com”.

      Clicking links to open external sites and leaving the learning management system should not be blocked. Mixed content only applies to embedded content, not to new top level pages.

      Chrome, IE, and Firefox all block mixed active content by default to secure their users. I encourage you to update your website to fix the security issues.

      Reply

      1. Melissa Koenig wrote on :

        That is all true but it means having to manually update thousands of links for our online classes. The design of most online classes encourages content to be embedded (it is a better user experience) – I noticed that Coursera is having similar issues with YouTube content.

        Reply

        1. Debra wrote on :

          I am with a university that develops online courses. We use screencast.com and embed almost all of our videos. With our LMS, Firefox has been the recommended browser, but we are having to rethink this with the mixed content being blocked. We have hundreds of pages of content with embedded videos and this “update” will be a major problem for our students.

          Reply

  90. Hans Hansen wrote on :

    I need that blocker to be inactive at once. I play Kingdom of Camelot on kabam.com – and your blocker disturbs my game.
    If it don’t get fixed very very soon, I will need to change browser.
    So far I have been satisfied with FF – but that have ended by your blocker – so please fix that immediately or I will be an ex-user of FF

    Reply

    1. Tanvi wrote on :

      IE already blocks mixed content frames and Chrome 30+ will also block them. You can switch browser but will likely end up with the same experience.

      Reply

  91. eleanor wrote on :

    is there a way to have it default to always allow mixed content?

    Reply

  92. Ophiuchis wrote on :

    I have some webs on google sites with gadgets.
    I CAN’T SEE THE GADGETS now without change the icon of Mixed Content Blocker.
    Why isn’t this bad software setted as disable by default?
    I don’t want to inform to all my visitors that they have to unblock it if they want to see my web.
    And I don’t think that google gadgets could be dangerous for the entire universe!

    Even more, I don’t asked anybody to protect my PC. Why MFirefox forces the users like Microsoft?

    By the way, the webs works properly when I see them with Chrome. Think about it!

    (Sorry for my bad english)

    Reply

    1. Tanvi wrote on :

      The issue will likely present itself on Chrome 30+ (currently in Chrome’s dev channel). Can you serve the gadgets over HTTPS instead of HTTP?

      Reply

  93. Brett Rutecky wrote on :

    I own / operate a Facebook tab service. Our pages that are IFRAMED in to Facebook via apps are secure our server is secure however sometimes customers want to put a link to in there tab / page to a non secure site. Firefox now blocks LINKS. This problem not only exists with is it is also with many such services, Pagemodo, Heyo, First Social, Fanpage Engine, Hubze apps. Firefox blocks links to non secure content from a secure IFRAME. This is over the top. Compounding this issue is the fact that Firefox gives no obvouse notice of what happened. That little grey icon in the navigation bar is inadequate at best. It gives no real information. It looks to the user as if the link was just broken. A pop up notice asking the user to confirm the link click would have been acceptable and proper.

    A basic philosophy of good software design is that it should empower the user. This newest update does not empower the user it restricts the user. While it is fine to give warnings before an action is taken those workings must be obvouse and prominent and they must give the user the option to continue with the action should they choose. Software should not gank peoples systems and force them to take (or not take) an action. The lack of prominent identification of why a block has occurred (that little shield is very poor) and the lack of an option to immediately proceed with the original action is quite simply ganking peoples system and is a poor design.

    Im very disappointed with this latest update. While the intent was good, the implimentation was done very poorly.

    Reply

  94. William wrote on :

    I agree with Melissa’s comment above. I teach an online class. Suddenly, much of the content that I incorporate through http://www.screencast.com no longer shows up in my class website. Firefox has been our preferred browser, but this change will create major issues with students.

    Reply

    1. Tanvi wrote on :

      If you include your content on http://www.screencast.com this should not affect your site. If you are including HTTP content on https://www.screencast.com these iframes will be blocked by Firefox and IE. Note that starting with Chrome 30+, Chrome will also block these iframes.

      Reply

  95. mark wrote on :

    How do I switch this off,when using sainsburys website it keeps blocking,and is very very annoying when trying to do my weekly grocery shop.

    Reply

  96. Chelly Mechelle Headrick wrote on :

    How do i turn this help off I cant play my Mafia wars with it I no longer want this please help me can find where to go to take it off ty…

    Reply

  97. Teddy wrote on :

    Typical, Firefox adding features that people find downright annoying and/or broken. I thought Chrome was bad for that which is why I switched back to FF recently, now I discover BS like this with no exception list.

    Who’s making these brain dead decisions without user input anyways?

    Reply

    1. JS wrote on :

      Guys with no UI experience, who have too much time on their hands, fixing what isn’t broken. Chrome, Firefox… the muffled double-thud is open source software crossing the Bozo barrier.

      Reply

  98. Brett Rutecky wrote on :

    In case you dont realize it people DONT appreciate you playing ‘internet censor’ and simply blocking content that you decide is not to be shown. Software should empower the user not hinder the user. With that in mind a ‘notice’ would have been fine, a block with no obvouse indication of what happened (that silly grey shield is FAR from adequate) and no way to permanently disable this so called ‘feature’ is not acceptable. When one entity prevents a second entity from choosing to see content from a third entity that is censorship plain and nothing more.

    Reply

  99. Isaac (Not Happy) wrote on :

    Well this is great. Now instead of viewing an HTTP address framed inside of an HTTPS webpage I have to view an HTTP address framed inside of an HTTP webpage. That’s really making my browsing experience safer >:(

    Reply

  100. Mike Macey wrote on :

    I have used Firefox for 7-8 years. I have experienced multiple crashes on both our XP and Win8 computers over the past few months. You get my reports but nothing ever changes.

    The upgrade to Mixed Content Blocking has devastated my Agency’s business and my client’s custom Facebook apps. We have hundreds of apps using reputable 3rd party iframe applications and none of my providers build https://. When we add them for contest, branding, video, sliders, flip books, ets., and internet products like PhotoBucket and Amazon Stores, my client’s prospects and mine too just leave our apps.

    We are promoting a full change over to Chrome and many 3rd party apps companies are considering the same promoting. V. 23 is costing us a lot of money.

    Surely the great contributors to Mozilla can develop a ‘work-around’ so luddites visiting Facebook Pages with custom http:// apps won’t click-to-leave leaving thousands of businesses scrambling to figure out what the heck is happening. When conversions drop off or stop, we get the calls and they have started.

    We are literally adding prominent headers to inform visitors they should consider changing to Chrome so they can view all content on the web while still having control of their browser.

    It is a pity to miss great content because Mozilla has determined they know what is best for the user! I thought Mozilla folks were anti-Microsoft and stood for FREE Will!

    Mike Macey

    Reply

  101. Ilse wrote on :

    I don’t know if I like this particular feature! I’ve just come accross it visiting a site and now I have to check the box to display the page normal with each page I visit in the particular wiki! That really is very annoying! And like Mark asked: How the hell do I turn this feature off?

    Reply

    1. Tanvi wrote on :

      You can turn the feature off through about:config. Open a new tab, type in about:config. Search for security.mixed_content.block_active_content and double click it so that the value switches from true to false.

      However, note that the persistence issue that you mention where you have to disable protection on every page view has been fixed and will ship with Firefox 24 (goes out September 17th to our release users and is currently on beta if you want to try it out sooner).

      Reply

      1. Ilse wrote on :

        Thanks for this tip. I’ll use this until the new version of firefox opens. This particular website is one I use very frequently (as in multiple times a day) and I’m not gonna adjust each and every page I visit. That’s just too much.

        Thank you for fixing this issue in FF24 though!

        Reply

        1. J. Lynne wrote on :

          I am in agreement. It completely rendered the pinboard.in “organize” feature useless. The preview panel is completely blank in FF23 because of it, while I can use it fine in IE. What a complete PIA. I would rather a temp fix than wait a few weeks. I have things to do.

          J.

          Reply

      2. mark wrote on :

        thank you,this cured the problem I was having.

        Reply

        1. mark wrote on :

          unfortunatly it is now blockin my email account.very frustrating.

          Reply

  102. Ilse wrote on :

    Also, how do I make it happen that I can press the backbutton and get to view the page like normal, without getting that darn protection again???? I’ve just confirmed the protection should be disabled at this page. I go to another page and return back to the previous page (which shouldn’t have the protection) and suddenly the protection is there again?!?! You’ve just made surfing the web a very annoying thing!

    Reply

    1. Tanvi wrote on :

      We’ve fixed the issue you describe and it will ship with Firefox 24 (goes out September 17th to our release users and is currently on Firefox Beta if you want to try it out sooner).

      Reply

  103. Don Lovell wrote on :

    I have mixed content that is being blocked on my university’s online classroom. Will we ever have an option to allow ALL content from a specific site, as we do with popup blocking?

    Reply

  104. VolkerK wrote on :

    It would be far more helpful if the browser would at least try to obtain the included resources via https: requests instead of the http: requests that their URL specifies, before giving up and declaring the content as insecure and not tolerable. If that fails because the remote site doesn’t serve https (in a trustworthy fashion!) then there’s a valid reason to block the content. But to just block embedded content right and left just because the site’s content includes an http link in an https-delivered page is totally counterproductive and throws out the kid with the bathwater. The links may be static content that is dynamically rendered within both http- or https-delivered pages. Or whoever created the link to the remote content (and who is almost never a security-specialist) didn’t know to make his links use https. There’s many other good reasons why sites may have mixed content, and will just break with Firefox23. Good job indeed!

    Reply

    1. Tanvi wrote on :

      There is a bug open to autoupgrade mixed content http requests to https (https://bugzilla.mozilla.org/show_bug.cgi?id=776278). There has been a lot of back and forth on whether or not this is a good idea. Your feedback there is welcome.

      Websites can use protocol relative urls so that they don’t have to rewrite their pages for http vs https:

      https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content#How_to_fix_your_website

      Reply

  105. abc wrote on :

    can dont use this?

    Reply

  106. Alexander wrote on :

    Good intention, very-very bad realization.

    This option forced me to switch to Chrome because I cannot more access Microsoft site using Firefox at all. Just try: https://www.microsoft.com/visualstudio/eng#products/visual-studio-express-products

    To find an instruction on how to turn it off I spent a lot of time – why not include it into the page describing this feature (“How does content that isn’t secure affect my safety?”) ???

    This looks like thinking about us, users, as about complete dumbs who are not able to decide whether the content we using each day is realy harmful.

    Reply

  107. Terry wrote on :

    I have used Firefox for years. At this point I can no longer use or or set it as a default browser for over 1,000 computers. You have just made Firefox useless for many Internet users.
    Chrome has a blocker but not when your running on the same domain. I think the way this was handled will make many people switch off of this browser. I wish this will be fixed soon.

    Reply

  108. Debbie wrote on :

    I just want to turn this feature OFF. I am using iframes and it is breaking my content. I can’t just trust the sites and be done with this? I have to okay the page every single time. I have training in iframes so this is PAINFUL…

    Reply

    1. Debbie wrote on :

      Found the solution: https://support.mozilla.org/en-US/questions/967760

      Reply

  109. Julie Lewis wrote on :

    This is terrible UI/UX design.

    You actually expect the average user to see that tiny shield by the URL?

    And if by some miracle they do see it and click on it, the only option shown by default is “Keep Blocking”. And then if they are savvy enough to click the dropdown box there’s no option to disable for the domain.

    You at least need to put this in the Preferences somewhere. Type about:config? What planet are you guys on?

    The average user will not bother to read the release notes to figure out why the site is broken. The least you can do is pop up a modal explaining why the content is blocked, with links to an explanation the average person can understand and options to keep blocking, turn off for this domain, turn off completely.

    Reply

  110. Jacques wrote on :

    BBC iPlayer unusable. Fix this or watch Firefox sink in the UK market.

    Reply

  111. Dan Wilson wrote on :

    Tanvi,

    I don’t believe you have given sufficient thought to how this change affects many web sites that use iFrames that are under different authoritative responsibilities. One of your standard answers that you’ve given here and in other blogs is that “the web site owner needs to fix their web site to avoid mixed content blocking”. This is not a realistic answer in many cases because the main site and the iFrames are controlled and authored by two completely different entities.

    As an example, I author content that resides in an iFrame on someone else’s web site (call that the main web site). My content in the iFrame contains a small flash object driven with Javascript, so a sandboxed iFrame is not an option. Only a single-digit fraction of users browse the main web site with https, let’s say it’s only 3%. However, with the mixed content blocking configured the way it is, I have NO CHOICE but to have the main site refer to my iFrame as https FOR EVERYONE, and therefore force the other 97% of users to load the frame as https. This increases latency (due to SSL setup) and CPU load on my server drastically.

    How are you planning to deal with this? If the user loads the main web site without SSL, I want them to load the iFrame without SSL to reduce the latency and CPU load. But that’s not possible because the main site would have to have server-side code to make that decision, and I don’t control that.

    This “feature” has essentially forced SSL for tens thousands of connections to my web server that don’t need it.

    Reply

    1. Tanvi wrote on :

      Hi Dan,

      Thanks for your comment. You can fix the issue you describe by using a protocol relative url. For example, you can use:

      If the main page is http://, then the browser will include an iframe to http://example.com. If the main page is https://, then the browser will include an iframe to https://example.com. This way, only the 3% of users who actually are on the SSL version of your page will receive the SSL version of the iframe.

      https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content#How_to_fix_your_website

      Reply

      1. Dan Wilson wrote on :

        I thank you for this fix, and it works perfectly in my case.

        The thing is that I have been in IT for over 20 years, and doing web development for nearly 10, and I had absolutely no idea that protocol-relative links even existed. This is the first time I’ve even heard of such a thing.

        Given that it is a very key technique to solve some mixed content blocking issues, this solution needs to be made much more prevalent in order to get the word out. It ought to be posted in a big huge font on the Mozilla front page … or something like that ;-)

        – Dan

        Reply

  112. ZeFrenchmen wrote on :

    Will add my voice to most of what’s on this page : the feature is well intended, but catastrophically implemented. Two hours of my life I’ll never see again…

    Reply

  113. Michael C wrote on :

    A valid jsonp request from a https page to a http page is throwing this error.
    This isn’t progress!
    Also, put your comment form AT THE TOP of the comments please.
    Thanks

    Reply

  114. Nikolas wrote on :

    I have a HTTPS website that uses a static domain for serving static files (css, js, images) and that domain is HTTP. I dont want to make my static domain HTTPS for css/js files because it costs me more $$$. However my HTTPS site does not work in firefox properly – the css/js files are not read.

    What you are doing now is focing us to make all our domains either http or https when there are legit uses of having mixed content sites. So our solution for now is to block the new firefox version on our domain to prevent new users from thinking this is an unsecured site because our static assets are http on a https site.

    Reply

    1. Tanvi wrote on :

      Having HTTP javascript and css on an HTTPS page compromises the integrity of your HTTPS page. Its similar to having an invalid SSL certificate, which has always required a user to add an exception (the same way Mixed Content does now).

      Reply

      1. Eloy wrote on :

        True, but for the SSL case you can create a whitelist, i.e. permanently create an exception if the user knows for sure that the site can be trusted. This is not currently possible with the Mixed Content Blocker in Firefox.

        Reply

  115. Enex wrote on :

    This has totally killed my Internet Hotspot buisness. My Advertising no longer shows on users’ browsers. How can I overcome this?

    Reply

    1. Tanvi wrote on :

      Provide ssl versions of your advertisements that can be used on HTTPS pages.

      Reply

  116. Florian wrote on :

    Please revert this “feature”.

    It is a killer for all sites who do very low-level mashups of freely available content, even from the same domain. E.g. in universities it is comon to embedd a search form provided by the IT department and you want to embedd that in your curriculum site which for some reason has SSL enabled. No security issues here, we know the servers and everything. We need to be able to turn this off at least or have a whitelist.

    Reply

  117. John wrote on :

    Mixed Content Blocker has a BIG downside to it. We use Firefox for our web browser in our virtual online high school. Our learning management system is Blackboard Learn. The new mixed content blocker blocks our ability to display many of our courses with their content, including IFrames and pdf. documents. We are employing a block on the mixed content blocker. However, should Firefox continue to use the mixed content blocker we will be forced to switch to Google Chrome. The page by page by-pass of mixed content blocker you described is not effective. Our students and our teachers do not have the time to stop and enable each page one page at a time. I guess this comes under the law of unintended consequences.

    Reply

    1. Tanvi wrote on :

      We have fixed the need to unblock page-by-page in bug 902156. It shipped with Firefox 24 (currently in beta, will hit stable users around September 17th).

      Chrome 30+ also blocks iframes. It is in beta and supposed to ship to stable users in early October, so your users will experience the same behavior in Chrome.

      Reply

  118. Steve Ridout wrote on :

    I run a https language learning website [1] in which the iFrame containing translations [2] no longer works because it is http.

    I’ve asked the owner of the iFrame if it’s possible for him to host a https version of this but he may not want to, and I have no control over this.

    So now I need to either teach all my users how to disable the mixed content blocking, which is a terrible solution, or to move my site to use http instead of https, which will only worsen security for my users.

    This is far from an isolated case so I recommend amending this to behave more like Chrome, which displays the page with a warning that there are unsecure elements on the page.

    Thanks,
    Steve

    [1] https://readlang.com
    [2] http://mini.wordreference.com

    Reply

    1. Tanvi wrote on :

      Firefox’s warning and Chrome’s warning are very similiar – shield/badge in the url bar that does not pop-open automatically.

      Reply

      1. Brett Rutecky wrote on :

        Wow did you actually make this comment? How can you be so out of touch. Umm the difference is Chrome doesnt just block the site automatically with no way to add a permanent exception or to disable this ‘feature’. With the kind of silly thinking you just displayed in that comment I can see why such poor design is being pushed out into production.

        Reply

        1. Tanvi wrote on :

          Yes it does. Chrome automatically blocks Mixed Active Content with a shield in the url bar. The difference is that Chrome 29 and below doesn’t block Mixed Content frames and Mixed Content XHR. Chrome plans to start blocking these two specific content types in versions 30 and 31 respectively.

          Reply

  119. connie Bates wrote on :

    This new “feature” is a BIG PITA!!!!!

    As much as I dislike Explorer – Firefox is beginning to rate about the same.

    Reply

  120. JS wrote on :

    This absolutely sucks. The icon to disable this stupid behavior is almost invisible.

    It took me half an hour to figure out why my blog (which is served over HTTPS) stopped showing embedded YouTube videos in the new firefox.

    If you cared about “security” you wouldn’t have gotten rid of the disable javascript function in the UI. Firefox sucks and is dead to me, I won’t use it anymore, and sites I build will no longer support it. You guys have majorly blown it as far as I’m concerned.

    Oh and scaling a bitmap of flash content asymmetrically when the window scales is idiotic, too. At this point I’d rather use IE if I had to, but I’ve moved on to Iron and hopefully the rest of the world will follow.

    Way to go on the “features”. Hint: No one smart enough to use a browser besides what’s bundled with their computer will want to use one that tries to hide controls from the users. Stop trying to act like Apple.

    Reply

  121. Jeff wrote on :

    I dont need this feature. It gives me trouble. kindly give me a note how to avoid this behavior through codes. Ruby on rails codes I need

    Reply

  122. HAL07 wrote on :

    Please make an option for trusting sites. This is hilarious and Microsoft seem to use this on all their sites just to annoy Firefox-users.

    Reply

  123. Kandy wrote on :

    If you were going to force a security feature on people, the least you could have done is put a setting in to disable it for those who don’t wish to use it. Otherwise every stinking time the page loads, or a person goes into their game or other site where this blocks their content, they have to keep disabling it over and over and over and over again. Do you really think people will continue to use your browser if they have to do that? Tell your techs who implemented this that they need to go to common sense school along with their technical classes.

    Reply

  124. shaf wrote on :

    Everyday new technology and new security

    Reply

  125. John E wrote on :

    Suddenly with Firefox 23.0.1 the page I’ve used for homepage for a decade is triggering mixed content blocking, but only on my work laptop which has Windows XP. With the same release of Firefox at home (Windows 7) I have no problem. Likewise on another desktop at work also running XP. How can I stop the mixed content blocking permanently on a site I know is save?

    Reply

    1. GridCoder wrote on :

      John, you can’t. No-one can without disabling the feature completely.

      Oh dear, oh dear – this is a real mess. No persistence, no whitelisting, no warning.
      I’m afraid, my dear Firefox Dev Team, you haven’t just shot yourselves in the foot; you’ve blown your foot clean off…

      Someone got obsessed with “making Firefox a more secure browser” and doggedly followed that idea regardless of the consequences, when instead they should have been thinking about how to make sure this change had good impact analysis and UX testing.

      It’s no use coming up with the argument that “Chrome is going to do this in R30″, or “you need to serve your content over https” or “Chrome’s warning is the same as ours” – the fact is Firefox has broken many, many people’s browsing and it needs fixing fast.

      It’s unfortunate that the first step in the right direction (the fix for Bug 902156) is going to take over a month from v23 to get to production in v24.

      The questions remain, how long will it take to get a proper UX solution out (i.e. a pop-up on first triggering of mixed content blocking per domain, coupled with domain whitelisting) and how much market share is Firefox going to lose before that solution is released…

      Reply

  126. Steve wrote on :

    How the hell did that “feature” make it past the beta stage? Who thinks up these “improvements” without a minimum of testing by real users? Now I can’t even edit web sites based on eZpublish any more, because the WYSIWYG editor is blocked and every frigging time I edit and save a page I have to manually allow for the execution again. What a mess!

    Reply

  127. Jason wrote on :

    I wish this feature was not done by the page and easily obliterated by reloading it. There should be a way to create exceptions for certain websites. It is a great feature, but it is absolute.

    Reply

    1. Tanvi wrote on :

      The reload issue was fixed in bug 902156 and is shipped with Firefox 24 (currently in beta).

      Reply

  128. Igor D. wrote on :

    Great idea, terrible implementation. Why on Earth Internet Explorer 8 – of all the things that attempt to call themselves ‘browser’ – is doing it right? If you access a mixed content site, you see the warning message that _tells_ you what’s going wrong, you’re given two clear options and the ‘More Info’ link. Attempt to replace this with some darn icon is not even close.

    Reply

  129. Eloy wrote on :

    I am very sorry for throwing more fuel to the fire but while I appreciate all the work and effort that has gone into adding this feature, I am about to disable it so I thought I’d provide some insight into why…

    I agree with others that have expressed that the feature is poorly implemented. In my opinion, it is fine to ship with the feature enabled by default but shipping the feature without a way to whitelist an entire domain (#873349), or to make the exception persistent (#902156) is not the best way to introduce a new feature that has such wide consequences.

    To give another use case: at work I use a web application very very often. The application uses HTTPS but serves CSS over HTTP. After upgrading to Firefox 23 all pages from that application started to look really bad, to the point that it’s not usable. I tried disabling the protection for the first page where I hit the blocker but I quickly learned that: 1. the next page I visited was also getting blocked, 2. my choice to prevent blocking was not persistent, and 3. I could not create an exception for the entire domain (the entire web application).

    I understand other browsers might do the same thing but that surely cannot be an excuse for implementing the feature the way it is currently implemented.

    Thanks again for your work, and I’m sorry for the not very constructive feedback, but this is the first time that I recall that a new feature causes so much mayhem without a way to work around it without completely disabling the feature.

    Cheers!

    Reply

  130. Nate wrote on :

    I’ve had to disable this in about:config on all the machines I use. I’m sorry, but it is not at all clear that content is being blocked by the browser itself when it simply isn’t visible on the page. You may not even realize it is supposed to be there in some cases. I’ve seen this quite frequently with video on news pages for example.

    I can’t understand why there isn’t some obvious indication in the browser that content is being blocked. No, a tiny gray shield is not obvious.

    Reply

  131. David wrote on :

    This is a terrible feature that is ruining a lot of work I’ve done. I teach classes on the Web. My learning management system is installed on a server that uses https, but I embed a lot of non https content in iframes for my students. Now, all of my students that use Firefox can’t see a lot of the material I have created for their course. This isn’t a tech course, and many of them aren’t particularly savvy. They don’t notice the warning. You’ve completely broken things I’ve spent months hacking away on.

    Reply

  132. josie wrote on :

    help me out is good

    Reply

  133. Clem wrote on :

    There is already a lot of posts so my apologizes for any redundant ideas.
    Whatever, i really need to be able to disable this feature. I think about 2 options:

    1) the first one, apparently requested by a lot of people here, a whitelist. Such a whitelist may come with a couple of already set trusted sites such as those where we can find podcasts or videos. When those media are played through plugins (currently still very often… flash fallback is really frequent when html5 capabilities aren’t available) and embed into an iframe, they are no longer played. YouTube is no longer “embedable” for exemple…

    2) The second approach is more “dev” friendly. What about an iframe option to indicate that it will load a trusted content? So all its content will be “trusted”. Then it will be interesting to discuss about the inheritance of such a property: what about the iframes inside the iframe? Maybe inheritance capabilities such as those we have in CSS… (inherited until one says something else).

    Thank you for your attention

    Reply

  134. Patrick Doyon wrote on :

    Wow. Tis sudden implementation is indeed creating alot of probs for a lot of people… me included. I’m happy I don’t feel alone… However, I do want a solution. Here’s my situation.

    I run a secure HTTPS eLearning site in which we provide users a lists of relevant educational 3rd party videos. Some of those videos are on YouTube and on TED.com. To access these, we use a fancy pop up window (with transparent boder over the backup aground page) and embed the URL of the 3rd party video using an iframe (we pretty much use the “embed” link that TED or YouTube provides us.

    Won’t work! What should I do (aside from telling users to move to Safari!)

    Thanks a lot. My business is running on this!
    Patrick

    Reply

    1. Tanvi wrote on :

      youtube provides HTTPS versions of their content. You can update all the “http://youtube.com” links to “https://youtube.com” or you can also use a protocol relative url and just put in “//youtube.com”. With relative urls, it will use the scheme of the parent document.

      Reply

      1. Patrick Doyon wrote on :

        Thanks a lot Tanvi,

        Your comment helped me resolve our Youtube issue.

        On another related note, with the same HTTPS website, I’m trying to insert a link that is supposed to open up a new tab with a PDF document in it. The PDF document is hosted on our HTTPS server and I’m using HTTPS in the url.

        However, what happens is that the New Tab opens up briefly, then closes immediately and I later find the PDF document in my downloaded folder!?!? Same behavior happens with a popup new window.

        How do I keep the new tab (or new popup window) open. It used to work (a few weeks ago) but no longer does with FF23.

        Thanks,
        Patrick

        Reply

        1. Tanvi wrote on :

          Hi Patrick,

          I’m not sure if your issue is caused by the Mixed Content Blocker. From you description, it sounds like it could be a separate bug.

          To confirm this, you can check a couple of things. Do you see the Shield icon on your webpage? If you turn off the Mixed Content Blocker, does the issue still exist? If you can provide me with the url, I can take a look. Thanks!

          ~Tanvi

          Reply

  135. Name wrote on :

    “Bug 826599 discusses whether users should even have an option to disable protection on HTTPS frames. The bug is to remove the UI to Disable Protection if the mixed content is coming from an HTTPS frame with a different domain than the top level domain. What do you think about this?”

    I think you should make it optional to block mixed content and also make it possible to disable it for certain domains/sites so that the user doesnt have to click display each time he loads the page again to check for updates or similar.

    Reply

  136. anon wrote on :

    The shield is rather difficult for most users to see. Really this should be easier to turn off and on. In secure course management systems that link to unsecure pages such as youtube videos (and even to some electronic resources) we are having to walk users through using another browser, or installing the Toggle Mixed Active Content add on. I hate to say this, but IE makes it easier, with a dialogue box.

    Reply

  137. работа тестером онлайн игр wrote on :

    Good respond in return of this difficulty with genuine
    arguments and describing all on the topic of that.

    Reply

  138. JBC wrote on :

    This is a terrible implementation of mixed content blocking. Firefox is no longer my go to browser because of it. Here is the problem:

    I have a site where user’s log in to a members only area, where they may see members only content. The content often has appendices where we link to other relevant 3rd party information. If I link to a site that offers only http, users cannot open those links (changing the target parameter does not always work for some reason). When I look at the user’s error logs, I see “mixed content blocked” and can easily reproduce it. So your implementation is not allowing me to link from my site to others, if any links to http pages appear on a page served through https.

    Please tell me this was not Mozilla’s intention.

    Reply

    1. Tanvi wrote on :

      Hi JBC,

      This was not the intention. When a target is set on a link to open a new tab or navigate the top level page, Mixed Content Blocker should not block the navigation. The new tab case was fixed in bug https://bugzilla.mozilla.org/show_bug.cgi?id=841850 in FF 22+ (before the Mixed Content Blocker came out). We missed the top level navigation case for Firefox 23, but fixed it in Firefox 24 (which is the current stable release) in bug https://bugzilla.mozilla.org/show_bug.cgi?id=902350.

      If you are still having a problem in Firefox 24, please let us know. Thanks!

      Reply

  139. Brett Rutecky wrote on :

    Well FireFox 24 is out and some of the most major issues where not even addressed.

    The blocking is still only indicated by a very small and unnoticeable grey shield in the navigation bar.
    The decision to not block a page is not retained long term.
    There is no UI based way to totally disable this blocking
    There is no UI based way to add a permanent exception for a entire domain (report it as trusted)

    Congratulations Mozilla you managed to take a great browser and make it suck. Now have a coffee and pat yourself on the back for ‘keeping the world save from all those evil IFRAMES’ .. its not going to do much for security if people stop using your browser.

    I for one am done with FireFox. I can’t abide self important (guess you think your Microsoft now eh) people who seem to think that you know whats better for me than I do (no permanent disable) or who promote censorship. I will also be strongly recommending that to my user base that they no longer use FireFox as well.

    Reply

  140. Joshua Dye wrote on :

    I agree that the UI is terrible. I have a tt-rss site that has the capability of dynamically opening the link in RSS, and this feature suddenly stopped working. It wasn’t until I checked the site in Chrome and noticed the mixed-content warning that I realized what was going on, and I’ve done web design, host my own pages, and am perfectly aware of the issues involved. I don’t have a problem with the idea behind the change, but if the function is breaking websites, the UI should be more obtrusive and the user should have the ability to turn it off in the standard preferences as well as whitelist trusted sites. Now that I’m aware of the UI, it’s not enough to make me switch browsers, but it was coming close before I figured it out.

    Reply

  141. Lennon wrote on :

    DNSSEC is the best way to stop man-in-the-middle attacks.

    Reply

  142. Jenna wrote on :

    I am trying to use padmapper.com to hunt for an apartment, but 85% of the apartment listing pages are determined as ‘mixed content’ by this tool and, since each listing page has a unique URL, it’s becoming very frustrating to disable the blocker on every listing page I’d like to look at. Is there any way to turn off the blocker for all pages connected to one root?

    Reply

    1. Tanvi wrote on :

      We have a bug open for padmapper and have contacted them: https://bugzilla.mozilla.org/show_bug.cgi?id=893428

      If the page listings are on the same domain and you use the same tab, your decision should persist in Firefox 24+ until you close the tab/switch domains. https://bugzilla.mozilla.org/show_bug.cgi?id=902156

      Reply

  143. F Johnson wrote on :

    I am a web and graphics instructor for a very large community college system. We use a learning management system to facilitate our courses on a secured server. iframes are used a lot to bring in content and at our institution we are still running Firefox 10, but all our students are using the latest versions of Firefox and are unable to see the iframe content.

    Come on Mozilla, Firefox is my favorite browser, and I insist on my students using it (I have made a lot of converts). This needs to be resolved. The iframes should be allowed, but with a first time warning asking if the address is a trusted site, and from then on it should be white-listed in the settings in the same way that no-script does it.

    I trust that you guys will work it out.

    Reply

  144. Fabian wrote on :

    How can I disable the feature for certain websites “forever” eg flickr.com, it’s really annoying to disable it every time I visit my photostream. Thanks!

    Reply

  145. Wong SP HJoseph wrote on :

    Please, advise me how I can disable the tanvi-blocking function !

    Thank You !

    Reply

  146. BMREDDY wrote on :

    tell me

    Reply

  147. Rahul wrote on :

    Can you please disable this feature by default. Users who want to be more secure can enable this from config options.

    Tanvi, please don’t mention that Chrome doesn’t do like this.

    Reply

  148. Berend wrote on :

    Is there a way to unblock all traffic form a specific website? We use an application here that has mixed content that we know is save. If we have to click the shield picto every time is very annoying. So I would like to permanently unblock all traffic form that site.

    Reply

  149. Federico Galassi wrote on :

    This is going to cost millions of $$$. What’s mozilla word on that?

    Reply

  150. masoud wrote on :

    i prefer to have easy conection to this site

    Reply

  151. Captain Dave wrote on :

    About time there was a way to disable all this sort of thing,If I want to install load-every then I want it to run so I can see, my ISP interface in real time, line throughput , system status (all now a ASCII interfaces from a root privileged shell scripts – so nolonger blocked) that is why I am running on very OLD version of Firefox as it was a nice tool before idiots started fiddling with it , a bit like Debian I still run Lenny to get away from the scourge of spotty faced kids who never read the book, as the only plasma I do not need is Plasma TV, radiates like hell jams the HF bands, another bad move. Having worked on the source code of DESTINY I have earned the right to hold my opinions. ENDS

    Reply

  152. arjun wrote on :

    Thanks for letting me know! I’ve fixed my website google fonts links,Why google fonts are considered active content?

    Reply

    1. Tanvi wrote on :

      Hi Arjun,

      Please see her on the reasoning behind blocking mixed content fonts: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#comment-40

      Thanks!

      Reply

  153. Chris Baker wrote on :

    We were using a third-party service to lookup zip codes entered into an address field and autofilling the city & state.

    We send a request to a restful API, it responds with a small JSON object. Now, it completely fails. Who’s security was served by blocking that JSON text? The API does not offer a valid HTTPS certificate, so can we just not use that service anymore? Isn’t that a little counter-productive?

    The lack of a whitelist, or some means to bypass this “feature” shows a bit of arrogance and disregard for the developer community. I don’t buy this argument of rolling some half-baked security feature out without having explored the ramifications and providing some mechanism for opting out or whitelisting. When I do that at my job, we call it “being lazy”.

    We’re a nonprofit with a nonprofit budget, and this is costly.

    Reply

  154. Gwen wrote on :

    This is a horrible feature to enable by default. Schools use a lot of embedded content to display content on their classroom websites, online courses, and student portfolios. Parents, students, and teachers just see a blank page and assume it’s broken and give up. Please make this an option, not a default.

    Reply

  155. DaveP wrote on :

    As a developer (who like the vast majority of website creators is not an expert in these issues) I am now having to re-write code that was written years ago. I understand that our sites may not be up to modern security standards but simply denying our users access without a simple workaround is pushing it.Upgrading our site will be costly and time consuming and difficult to slot into tight deadlines for other projects. Could I make a plea for the following:
    1. Can you recommend a resource that provides a simple tutorial on how to fix the issues exposed by this new security feature in FF or alternative post such information here.
    2. It would be very helpful if (as an interim measure) some form of header could disable the feature with a warning saying something like “THIS SITE DOES NOT MEET THE FULL REQUIREMENT FOR SECURITY DUE TO MIXED CONTENT”. This would be a quick fix for developers who want to keep their sites functional while they work on solving the more intrinsic security features.

    Our use case is a hotspot landing page that embeds an iframe with the venue’s own content.which is almost always insecure and often would be emasculated without javascript.

    Reply

    1. Tanvi wrote on :

      Hi Dave,

      Here are some resources that might help:
      https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content
      https://developer.mozilla.org/en-US/docs/Security/MixedContent

      I am working on getting these linked from the “Learn More” page (https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety).

      Reply

  156. Pingback from Firefox for Android adds Guest browsing, Web Audio API - FMobiles on :

    […] Mixed content blocking is also implemented in this version to protect users from malicious attacks. Addons can now add indicators to the URL bar. Romanian, Irish and Ukranian locales are added, with these addition Firefox for Android now supports 27 languages worldwide. […]

    Reply

  157. cheahour wrote on :

    enable

    Reply

  158. L wrote on :

    The new FF 25 removed the shield icon. So now what? How do we enable mixed content?!

    Reply

    1. Tanvi wrote on :

      That is odd. Testing a page with Mixed Active Content on Firefox 25, I still see the shield icon. Can you provide the url of the page you are experiencing issues with? Thanks!

      Reply

  159. Romuald Brunet wrote on :

    A note concerning iframes: you should really consider adding a more visible warning for users.

    Setting the iframe contents to a warning instead of a blank page would be far less disturbing IMHO

    Reply

  160. Brett Rutecky wrote on :

    Wow .. you guys even block links to a non secure URL when they are in a secure page. So I guess you are not happy with telling people what they can view on the web, you also have to control what people can do huh? Insane!

    No one wants these so called ‘features’ dont you get that yet? And stop saying stupid stuff like .. “but Chrome does … ” In case you have not noticed we are not on the Chrome blog so that doesn’t matter.

    Reply

    1. Roy wrote on :

      Yup I want it disable permanently. so frustrating

      Reply

      1. Roy wrote on :

        I have captive portal with mixed content and i want it disabled permanently it does not save your setting.

        Reply

        1. Pedro wrote on :

          Horrible option to roce you always permit sites to use mixed content.
          you guys must put a option to make a whitelist like other options have it.

          so frustating.. will have to migrate all my users to other browser… GRRR

          Reply

  161. Pingback from Happy Ninth Birthday Firefox! | The Mozilla Blog on :

    […] We shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web. Firefox includes Click to Play plugins. […]

    Reply

  162. Pingback from Firefox 滿九歲了!生日快樂! | 訊息中心 | Mozilla Taiwan on :

    […] 安全性:Firefox 現提供封鎖混合內容 (Mixed Content Blocker) 功能,確保使用者在 Web 上的安全性。Firefox 另具備外掛執行許可 (Click to Play) 功能,讓使用者決定是否要讓網站使用外掛程式,藉以保護使用者並讓瀏覽器執行更順暢。 […]

    Reply

  163. Pingback from Happy Ninth Birthday Firefox! Firefox Mobile OS Download on :

    […] We shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web. Firefox includes Click to Play plugins. […]

    Reply

  164. Pingback from Happy 9th Birthday Mozilla Firefox! - .:: A cup of coffee and my lappy on :

    […] We shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web. Firefox includes Click to Play plugins. […]

    Reply

  165. 網路廣告 wrote on :

    Good day! I simply would like to give a huge thumbs up for the
    nice info you

    Reply

  166. Pingback from শুভ নবম জন্মদিন প্রিয় ফায়ারফক্স! | আমি, আর আমার কিছু বাকওয়াজ কথা on :

    […] নিরাপদ রাখতে ফায়ারফক্সের সাথে মিশ্র কন্টেন্ট ব্লকার দিয়ে দিয়েছি আমরা। ক্লিক করলেই […]

    Reply

  167. Pingback from יום הולדת תשיעי שמח, Firefox! « חדשות מוזילה on :

    […] השקנו חסימת תוכן מעורב ב־Firefox כדי לעזור למשתמשים להיות מאובטחים במהלך הגלישה […]

    Reply

  168. Pingback from Happy Ninth Birthday Firefox! | Mozilla Press Center on :

    […] We shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web. Firefox includes Click to Play plugins. […]

    Reply

  169. 清潔公司 wrote on :

    I love to disseminate understanding that will I’ve accumulated through the
    season to assist improve team functionality.

    Reply

  170. Pingback from Firefox อายุครบ 9 ขวบแล้ว | Mozilla Thailand Community on :

    […] มีการปิดกั้นเนื้อหาที่ไม่ปลอดภัย (Mixed Content Blocker) […]

    Reply

  171. Pingback from 9 Hadiah Firefox untuk Dunia Web | BennyChandra.com on :

    […] Kami menghadirkan Mixed Content Blocker di Firefox untuk menjaga Anda tetap aman, ke mana pun Anda menjelajah Web. Firefox menghadirkan […]

    Reply

  172. Anita Bath wrote on :

    I was wondering why my browser was so unimaginably slow and I could not log into my library account before midnight to renew my items, despite being obliged to manually change a setting– I guess not being able to access ANY webpages is safer than a buggy one– like not driving is safer than driving– but I’d rather take my chances.

    Mozilla now owes me $1.20 in overdue fees.

    Reply

  173. Pingback from শুভ নবম জন্মদিন প্রিয় ফায়ারফক্স! | রাতুলের ব্লগ on :

    […] নিরাপদ রাখতে ফায়ারফক্সের সাথে মিশ্র কন্টেন্ট ব্লকার দিয়ে দিয়েছি আমরা। ক্লিক করলেই […]

    Reply

  174. Pingback from Firefox celebra su noveno aniversario | Universotek on :

    […] incorporaron un Bloqueador de contenido mixto en Firefox para mantenerlo seguro cuando navegue por cualquier parte de la web. Firefox incluye […]

    Reply

  175. Mike Cherichetti wrote on :

    It really is unfortunate that this feature was implemented without a whitelist. Like many others, the preview function in our ad server control panel is negatively affected by this as some third-party content does not support https and never runs on https pages. Yet our control panel runs on https and must be able to preview such content.

    Why not allow site administrators to make an educated decision about http/https mixing and set a “X-Allow-HTTP: [domain]” header on https pages to enable mixing from a given domain or a wildcard to allow third-party domains?

    Reply

  176. Mike wrote on :

    This is an absolute disaster. I developed a bookmarklet-based reference tool that opens a results page in an iFrame. The results page can open from my server or users can host on their own server. I don’t have an ssl certificate, nor do I expect my users to. This requirement means I must instruct my users to go into about:config and change their security settings through a highly technical (to them) interface? Or to understand why my tool suddenly doesn’t work on https: sites? Nobody is going to do that. You have destroyed many months of work for me.

    Reply

  177. Flat Eric wrote on :

    Why isn’t there a whitelist??? For me, it’s also a complete disaster to transport informations in our intranet… Not sure what to do now with the mixed content…

    Reply

  178. Wilber wrote on :

    I’ve been annoyed too often by this feature. Just like other users who have posted, I could not easily figure out why some page popped up blank. I first suspected a website-side bug. Now I finnaly turned off the security.mixed_content.block_active_content feature in about:config after reading through this discussion, I noticed that while disabling the blocking through the dialog box left me with a warning triangle in the address bar, disabling it throught about:config leaves me with no warning at all. So I suggest a white list to be implemented in some way (because less security for those who ask for it is still better than no security at all) and a warning sign to be left in order to remind the user he is still at “risk”.

    Reply

  179. Pingback from Mixed Content Blocking Appears in Firefox 23 | IT Security on :

    […] Users can decide to block Mixed Passive Content as well by following a couple simple steps,” Tanvi Vyas of Mozilla […]

    Reply

  180. walt disney pixar wrote on :

    i having issues with yahoo mail

    i always choose Disable on this page

    but next time i enter AGAIN THE BLOODY Firefox has blocked ……

    Reply

  181. 律師 wrote on :

    Excellent notable synthetic vision just for fine detail and may anticipate issues prior to
    they will take place.

    Reply

  182. Mike Bailey wrote on :

    This is really starting to tick me off. Every time I go into this site I have to take the time to disable. Is there a way to permanently disable for a certain site? I am about to stop using fire altogether and go to something else.

    Mike

    Reply

    1. Pup Equality McKeenan wrote on :

      I was able to disable it once, and now the shield icon has disappeared and now I can’t disable anything and the block is back.

      Reply

  183. Sylvain Lafreniere wrote on :

    Been 3 days i can,t play a game that was a great one on Facebook. They have their certificate but not good enough for the last three days on Firefox. All explanations to get it back aren,t working, give me back my game, please. Do the same thing with Movie Pop
    Regards, Sylvain

    Reply

  184. www.viwawa.com wrote on :

    Your method of describing the whole thing in this piece of writing is really nice, every
    one be able to effortlessly be aware of it, Thanks a lot.

    Reply

  185. Pingback from All Markup News » Happy Ninth Birthday Firefox! on :

    […] We shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web. Firefox includes Click to Play plugins. […]

    Reply

  186. service ac surabaya wrote on :

    shipped Mixed Content Blocker in Firefox to keep you secure, wherever you surf the Web ^_^

    Reply

    1. Pup Equality McKeenan wrote on :

      whether you like it or not! Please amke these features OPTIONAL! let us decide the risks we want to take.

      Reply

  187. finance.yahoo wrote on :

    If you desire to take a great deal from this paragraph then
    you have to apply these methods to your won weblog.

    Reply

  188. Ryan L wrote on :

    I am tired of every time I want to check my Yahoo Mail I have to keep telling it to disable the page. I never had to do this before. It is very irritating and extremely stupid on your end of this. it needs to be fixed so that you only have to disable the page one time for rest of life. If this dose not get fixed so I will no longer use your browser.

    Reply

  189. No Thanks wrote on :

    Ditto on this is a poorly implemented ‘feature’, although I’m sure it was well intentioned.
    Without being able to permanently turn it off on a page by page basis it means the browser is broken for me. Too bad, because it had some advantages.

    Reply

  190. Anurag wrote on :

    Now because of this ..if you are having a site which is running on HTTPS and you have youtube video embedded as HTTP then ..it will not work..and you keep wondering Why youtube video is not working? its simply because of mix mode issue.. so change your youtube embeded urls as https and it will start working .. have fun
    [youtube url not working on https , youtube url not working in firefox , youtube embedded url not working in firefox]

    Reply

  191. PSP Emulator wrote on :

    My spouse and I stumbled over here coming from a different web page and thought I might
    as well check things out. I like what I see so now i am following
    you. Look forward to checking out your web page for a second time.

    Reply

  192. Bristol Locksmith wrote on :

    I (think!) I get the concept behind blocking mixed content blocking to improve security. Without blocking mixed content, it’s like having a really secure front door, but no glass in your ground floor windows and assuming nobody will notice…

    But how easy is this to pick up from a web development point-of-view? Does it only really affect smaller websites at the transition to SSL when transactions are being carried out? Or will this affect the user experience at anytime that content is pulled from other SSL enabled sites, or other parts of the originating domain?

    Reply

  193. Pingback from All Markup News » Share Your Firefox with Friends & Family While Keeping Your Web Information Private with Guest Browsing on :

    […] on  Mixed Content Blocker in this […]

    Reply

  194. Louvenia wrote on :

    What’s up, just wanted to tell you, I enjoyed this post.
    It was inspiring. Keep on posting!

    Reply

  195. Pingback from Firefox celebra su noveno aniversario | Ciberespacio on :

    […]      incorporaron un Bloqueador de contenido mixto      en Firefox para mantenerlo seguro cuando navegue por cualquier parte de la      web. […]

    Reply

  196. Pup Equality McKeenan wrote on :

    I am unable to use the comms/chat in game, Battle Pirates by Kixeye. I did the click on shield icon and disable blocking and that seemed to have fixed it, but just once, and now the shield icon has disappeared. Please work with Kixeye on a fix. not sure if it is a problem with your coding, their coding or flash players coding but between the tree of you get it fixed ASAP, PLEASE! Been unable to play the game on FF since before Xmas. I have to play it on *shudder* Google Chrome and I hate google chrome. Fire Fox is the MOST stable browser for the game I have found.

    Reply

    1. Pup Equality McKeenan wrote on :

      I finally got the shield icon again and clicked it and disabled the blocker and I still cannot get comms on Battle Pirates! FIX THIS NOW!

      Reply

  197. brettrager wrote on :

    mixed blocker is destroying my gaming. i am losing all my bonuses,if you hit to allow block page the bonus views it as a second attempt at getting same item and rejects the claim. i have lost dozens of bonuses before i saw i was not getting them. either it gets a one time disable for this i will just delete firefox. your idea of help just made my pleasurable and relaxing game time a chore. i do not wish to reprogram my computer,i should not have to pay someone to undo or modify my system for something i don’t want or other browsers seam not to think is a problem,or have figured a way to do it without interfering with normal functions.

    Reply

  198. create google plus account wrote on :

    It’s awesome to pay a visit this site and reading the
    views of all friends regarding this post, while I am also zealous of
    getting experience.

    Reply

  199. Teh Gerg wrote on :

    I’m getting blocking messages on my local newspaper web site http://www.northwestgeorgianews.com/rome/
    on pages that are not HTTPS. It is causing this site to hang the browser. I am having this problem on no other site.

    Reply

  200. boy sky wrote on :

    problem sandi

    Reply

  201. brettrager wrote on :

    since no one cares to unblock my gaming bonuses. i found the perfect fix. uninstall firefox,install chrome. fixed. that was easy

    Reply

  202. hotmail_user wrote on :

    I know everyone is complaining about this but I would actually LIKE to use it. However there is NO shield, I ONLY get the warning icon. I would LIKE to disable the mixed content but I don’t know how to. I get the warning icon in my hotmail and on facebook, and I would like to block mixed content, but there are no options. Is my only option to NOT use these webpages?

    Reply

  203. VASW ZAXOU wrote on :

    FOTO

    Reply

  204. Columbus personal injury attorney wrote on :

    Great web site you’ve got here.. It’s difficult to find high-quality writing like yours these days.
    I honestly appreciate individuals like you! Take care!!

    Reply

  205. Låna pengar direkt wrote on :

    I am truly happy to glance at this web site posts which contains lots
    of helpful facts, thanks for providing these kinds of data.

    Reply

  206. วิธีรักษาสิวอุดตัน wrote on :

    Write more, thats all I have to say. Literally,
    it seems as though you relied on the video to make your point.

    You obviously know what youre talking about, why throw
    away your intelligence on just posting videos to your weblog when you could be giving us something informative to read?

    Reply

  207. mobile phone contract comparison wrote on :

    When some one searches for his necessary thing,
    so he/she needs to be available that in detail, therefore that
    thing is maintained over here.

    Reply

  208. Markuz Zericci wrote on :

    I’m sorry, but the handling of mixed content is atrocious. Basically, unless every aspect of the page is https, then firefox will not display it. The problem then arises that images, themes, other such trivial content and media won’t be displayed. Even when someone chooses to accept the mixed mode. This is a horrible approach to security, as it not only breaks the aesthetics of the site, but also forces a developer to recode a lot of work, especially where scripts are concerned.

    And to add to the pile, this completely breaks WordPress and other such CMS / Blogging scripts that hook into Facebook which require SSL for content delivery.

    Basically, what mozilla has done, was force developers to fix what isn’t broken, or have the user lower their security measures to get particular blogs, and scripts to function properly.

    Reply

  209. best rice cooker wrote on :

    Great blog! Is your theme custom made or did you download it from somewhere?
    A theme like yours with a few simple adjustements would really make my blog shine.

    Please let me know where you got your design. Cheers

    Reply

  210. เกมส์ยิงผี wrote on :

    Having read this I believed it was really enlightening.
    I appreciate you finding the time and effort to
    put this article together. I once again find myself spending
    a lot of time both reading and posting comments. But so what, it was still worthwhile!

    Reply

  211. how to download dailymotion videos wrote on :

    To locate the plug-in creating problem, start Internet Explorer normally again and disable all plug-ins (see the NOTE and Image in the first section).
    Silverlight videos can add special DRM to prevent downloading
    from them, or even if you have successfully get the video files by your video
    download tool, you may find they are just many parts
    of the video not a entirely one. You can see the conversion happening
    with the inbuilt footballer.

    Reply

  212. งานพาร์ทไทม์ wrote on :

    Have you ever thought about adding a little bit more than just your articles?
    I mean, what you say is important and everything. Nevertheless think of if you added some great graphics or videos to
    give your posts more, “pop”! Your content is excellent but with pics and videos,
    this site could definitely be one of the most beneficial
    in its niche. Wonderful blog!

    Reply

  213. game of war cheats chips wrote on :

    My daughter, Maya, couldn’t resist climbing inside the tree trunk.
    The French government deliberately delivered their own demobilized soldiers
    into four years of slave labor in Nazi factories and
    sold working class girls as prostitutes in German troop
    brothels. re sure to find some of the Mc – Wedding companies are arranging their fast-food brand of “Weddings in Hawaii”.

    Reply

  214. American wrote on :

    The mixed content blocker is a disaster. If I could advise the world to use Chrome I would and then dump FF worldwide. It belongs in the bung heap.

    Reply

  215. Pingback from Firefox 23 to Block Mixed Content on :

    […] Images from Mixed Content Blocking Enabled in Firefox 23! […]

    Reply

  216. Tae-Wong Seo wrote on :

    This blog post has continued to spam the comments.
    Please stop spamming.

    Reply

Post Your Comment