{"id":1048,"date":"2013-05-16T22:26:49","date_gmt":"2013-05-17T05:26:49","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1048"},"modified":"2013-06-26T16:33:43","modified_gmt":"2013-06-26T23:33:43","slug":"mixed-content-blocking-in-firefox-aurora","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/","title":{"rendered":"Mixed Content Blocking in Firefox Aurora"},"content":{"rendered":"<p>Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages.<\/p>\n<p>When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to &#8220;Disable Protection&#8221; and override the blocking.<\/p>\n<p>What types of Mixed Content are blocked by default and what types are not? The browser security community has divided mixed content into two categories: Mixed Active Content (like scripts) and Mixed Passive Content (like images). Mixed Active Content is considered more dangerous than Mixed Passive Content because the former can alter the behavior of an HTTPS page and potentially steal sensitive data from users. Firefox 23+ will block Mixed Active Content by default, but allows Mixed Passive Content on HTTPS pages. For more information on the differences between Mixed Active and Mixed Passive Content, <a href=\"https:\/\/blog.mozilla.org\/tanvi\/2013\/04\/10\/mixed-content-blocking-enabled-in-firefox-23\/#Mixed_Content_Classifications\">see here<\/a>.<\/p>\n<p><strong>Mixed Content Blocker UI<\/strong><br \/>\nDesigning UI for security is always tricky. How do you inform the user about a potential security threat without annoying them and interrupting their task?<\/p>\n<p>Larissa Co (<a href=\"https:\/\/twitter.com\/lyco1\">@lyco1<\/a>) from Mozilla\u2019s User Experience team aimed to solve this problem. She created a Security UX Framework with a set of core principles that drove the <a href=\"https:\/\/people.mozilla.com\/%7Elco\/ProjectSPF\/Mixed_Content\/Mixed_Content_Spec\/Mixed%20Content%20Spec%20v4.pdf\">UX design<\/a> for the Mixed Content Blocker.<\/p>\n<p>When a user visits an HTTPS page with blocked Mixed Active Content, they will see a shield icon in the location bar:<\/p>\n<div>\n<p style=\"text-align: center;\"><a href=\"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter\" alt=\"Shield Icon Doorhanger shown on HTTPS page with Mixed Active Content\" src=\"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg\" width=\"643\" height=\"86\" \/><\/a><\/p>\n<\/div>\n<p>Clicking on the shield, the user will see options to &#8220;Learn More&#8221;, &#8220;Keep Blocking&#8221;, or &#8220;Disable Protection on This Page&#8221;:<\/p>\n<div><a href=\"https:\/\/people.mozilla.com\/~tvyas\/FigureB.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter\" alt=\"Shield Doorhanger Drop Down UI\" src=\"https:\/\/people.mozilla.com\/~tvyas\/FigureB.jpg\" width=\"637\" height=\"309\" \/><\/a><\/div>\n<p>If a user decides to \u201cKeep Blocking\u201d, the notification in the location bar will disappear:<\/p>\n<div id=\"magicdomid61\"><a href=\"https:\/\/people.mozilla.com\/~tvyas\/FigureC.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter\" alt=\"If the user decides to Keep Blocking, the shield will disappear.\" src=\"https:\/\/people.mozilla.com\/~tvyas\/FigureC.jpg\" width=\"644\" height=\"84\" \/><\/a><\/div>\n<p>On the other hand, if a user decides to \u201cDisable Protection on This Page\u201d, all mixed content will load and the lock icon will be replaced with a yellow warning sign:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/people.mozilla.com\/~tvyas\/FigureD.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\" aligncenter\" alt=\"Yellow Warning Triangle appears after the user Disables Protection\" src=\"https:\/\/people.mozilla.com\/~tvyas\/FigureD.jpg\" width=\"644\" height=\"87\" \/><\/a><\/p>\n<p>When a user visits an HTTPS page with Mixed Passive Content, Firefox will not block the passive content by default. But since the page is not fully encrypted, the user will not see the lock icon in the location bar:<br \/>\n<a href=\"https:\/\/people.mozilla.com\/~tvyas\/FigureE.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter\" alt=\"A page with Mixed Passive Content will show the Globe icon instead of the Lock icon.\" src=\"https:\/\/people.mozilla.com\/~tvyas\/FigureE.jpg\" width=\"636\" height=\"85\" \/><\/a><\/p>\n<p><strong>Compatibility<\/strong><br \/>\nWe have a <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=844556\">master tracking bug<\/a> for websites that break when Mixed Active Content is blocked in Firefox 23+. In addition to websites that our users have been reporting to us, we are running automated tests on the Top Alexa websites looking for pages with Mixed Active Content. If you run into a compatibility issue with a website involving mixed content, please let us know in the <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=844556\">master bug<\/a>, or take a step further and contact the website to let them know. Chances are, their website is also broken on Chrome and\/or Internet Explorer. Chrome and Internet Explorer also have Mixed Content Blockers, but their definitions of Mixed Active and Mixed Passive Content differ from slightly from Firefox&#8217;s definition.<\/p>\n<p><strong>Want to learn more?<\/strong><br \/>\nStill curious and want to learn more details about the Mixed Content Blocker in Firefox? Check out <a href=\"https:\/\/blog.mozilla.org\/tanvi\/2013\/04\/10\/mixed-content-blocking-enabled-in-firefox-23\">this more detailed blog post<\/a> or feel free to ask us questions on <a href=\"https:\/\/groups.google.com\/forum\/?fromgroups#!forum\/mozilla.dev.security\">mozilla.dev.security<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/\">Read more<\/a><\/p>\n","protected":false},"author":412,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mixed Content Blocking in Firefox Aurora - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tanvi Vyas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/\",\"name\":\"Mixed Content Blocking in Firefox Aurora - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg\",\"datePublished\":\"2013-05-17T05:26:49+00:00\",\"dateModified\":\"2013-06-26T23:33:43+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage\",\"url\":\"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg\",\"contentUrl\":\"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mixed Content Blocking in Firefox Aurora\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\",\"name\":\"Tanvi Vyas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/bd13e40bb691b46158cd2d4da792993d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g\",\"caption\":\"Tanvi Vyas\"},\"description\":\"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks\",\"sameAs\":[\"https:\/\/blog.mozilla.org\/tanvi\/\",\"https:\/\/x.com\/@TanviHacks\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mixed Content Blocking in Firefox Aurora - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/","twitter_misc":{"Written by":"Tanvi Vyas","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/","name":"Mixed Content Blocking in Firefox Aurora - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage"},"thumbnailUrl":"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg","datePublished":"2013-05-17T05:26:49+00:00","dateModified":"2013-06-26T23:33:43+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#primaryimage","url":"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg","contentUrl":"https:\/\/people.mozilla.com\/~tvyas\/FigureA.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/05\/16\/mixed-content-blocking-in-firefox-aurora\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Mixed Content Blocking in Firefox Aurora"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143","name":"Tanvi Vyas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/bd13e40bb691b46158cd2d4da792993d","url":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g","caption":"Tanvi Vyas"},"description":"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks","sameAs":["https:\/\/blog.mozilla.org\/tanvi\/","https:\/\/x.com\/@TanviHacks"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1048"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/412"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1048"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1048\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1048"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}