Mixed Content Blocking in Firefox Aurora

Tanvi

5

Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages.

When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.

What types of Mixed Content are blocked by default and what types are not? The browser security community has divided mixed content into two categories: Mixed Active Content (like scripts) and Mixed Passive Content (like images). Mixed Active Content is considered more dangerous than Mixed Passive Content because the former can alter the behavior of an HTTPS page and potentially steal sensitive data from users. Firefox 23+ will block Mixed Active Content by default, but allows Mixed Passive Content on HTTPS pages. For more information on the differences between Mixed Active and Mixed Passive Content, see here.

Mixed Content Blocker UI
Designing UI for security is always tricky. How do you inform the user about a potential security threat without annoying them and interrupting their task?

Larissa Co (@lyco1) from Mozilla’s User Experience team aimed to solve this problem. She created a Security UX Framework with a set of core principles that drove the UX design for the Mixed Content Blocker.

When a user visits an HTTPS page with blocked Mixed Active Content, they will see a shield icon in the location bar:

Shield Icon Doorhanger shown on HTTPS page with Mixed Active Content

Clicking on the shield, the user will see options to “Learn More”, “Keep Blocking”, or “Disable Protection on This Page”:

Shield Doorhanger Drop Down UI

If a user decides to “Keep Blocking”, the notification in the location bar will disappear:

If the user decides to Keep Blocking, the shield will disappear.

On the other hand, if a user decides to “Disable Protection on This Page”, all mixed content will load and the lock icon will be replaced with a yellow warning sign:

Yellow Warning Triangle appears after the user Disables Protection

When a user visits an HTTPS page with Mixed Passive Content, Firefox will not block the passive content by default. But since the page is not fully encrypted, the user will not see the lock icon in the location bar:
A page with Mixed Passive Content will show the Globe icon instead of the Lock icon.

Compatibility
We have a master tracking bug for websites that break when Mixed Active Content is blocked in Firefox 23+. In addition to websites that our users have been reporting to us, we are running automated tests on the Top Alexa websites looking for pages with Mixed Active Content. If you run into a compatibility issue with a website involving mixed content, please let us know in the master bug, or take a step further and contact the website to let them know. Chances are, their website is also broken on Chrome and/or Internet Explorer. Chrome and Internet Explorer also have Mixed Content Blockers, but their definitions of Mixed Active and Mixed Passive Content differ from slightly from Firefox’s definition.

Want to learn more?
Still curious and want to learn more details about the Mixed Content Blocker in Firefox? Check out this more detailed blog post or feel free to ask us questions on mozilla.dev.security.

5 responses

  1. Danny Moules wrote on :

    \o/ Massive security win incoming in 3… 2…

  2. maxw3st wrote on ::

    Does this have something to do with why Firefox won’t load the logo image for one of my sites? The logo loads fine in Chrome, IE10, or Safari, but not Firefox. http://sabaki.aisites.com/dbs323/project/masterAi.php Instead FF loads the alt text string. It also won’t load the icon image even if I have the page access it through CSS as a background-image: url(foo.png);.

    1. Daniel Veditz wrote on :

      I don’t notice any differences at that link between Firefox and Chrome. But since your site is “http:” rather than “https:” this change shouldn’t affect it at all.

  3. Chris wrote on :

    It’s riddiculous that FF hasn’t blocked this so far, and shows once again (just like the rogue root CAs included, or the still accepted insecure TLS renego) that FF is absolutely inscecure and Mozilla gives a shit on their user’s security….

    And now you praise yourself cause you treat at least “active” content?… “Passive” content can be just equally as important as active…

    Ridiculous…

  4. statflyer logo wrote on ::

    Every once in the while, the main associates of Mozilla from all all over the planet get together in one place. This is known as the Summit