{"id":2877,"date":"2024-06-05T06:05:31","date_gmt":"2024-06-05T13:05:31","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2877"},"modified":"2024-06-11T08:55:49","modified_gmt":"2024-06-11T15:55:49","slug":"firefox-will-upgrade-more-mixed-content-in-version-127","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2024\/06\/05\/firefox-will-upgrade-more-mixed-content-in-version-127\/","title":{"rendered":"Firefox will upgrade more Mixed Content in Version 127"},"content":{"rendered":"

Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS<\/a><\/span>. As a reminder, HTTP over TLS (HTTPS)<\/a><\/span>\u00a0fixes the security shortcoming of HTTP by creating a secure and encrypted connection. Oftentimes, when web applications enable encryption with HTTPS on their servers, legacy content may still contain references using HTTP, even though that content would also be available over a secure and encrypted connection. When such a document gets loaded over HTTPS but subresources like images, audio and video are loaded using HTTP, it is referred to as \u201cmixed content\u201d.<\/span><\/p>\n

Starting with version 127, Firefox is going to automatically upgrade audio, video, and image subresources from HTTP to HTTPS.<\/span><\/p>\n

Background<\/span><\/h2>\n

When introducing the notion of \u201cmixed content<\/a><\/span>\u201d a long while ago, browsers used to make a fairly sharp distinction between active and passive mixed content: Loading scripts or iframes over HTTP can be really detrimental to the whole document\u2019s security and has long since been blocked as \u201cactive mixed content\u201d. Images and other resources were otherwise called \u201cpassive\u201d or \u201cdisplay\u201d mixed content. If a network attacker could modify them, they would not gain full control over the document. So, in hope of supporting most existing content<\/a><\/span>, passive content had been allowed to load insecurely, albeit with a warning in the address bar.<\/span><\/p>\n

\"\"<\/p>\n

\"Previous<\/a>

Previous behavior, without upgrading: Degraded lock icon, with a warning sign in the lower right corner.<\/p><\/div>\n

With the web platform supporting many new and exciting forms of content (e.g., responsive images<\/a><\/span>), that notion became a bit blurry: Responsive images are not active in a sense that a malicious responsive image can take over the whole web page. However, with an impetus toward a more secure web, since 2018, we require that new features are only available when using HTTPS<\/a><\/span>.<\/span><\/p>\n

Upgradable and blockable mixed content<\/span><\/h2>\n

Given these blurry lines between active and passive mixed content, the latest revision of the Mixed content standard<\/a><\/span>\u00a0distinguishes between blockable and upgradable content, where scripts, iframes, responsive images and really all other features are considered blockable. The formerly-called passive content types (<img><\/span><\/code>, <audio><\/span><\/code>\u00a0and <video><\/span><\/code>\u00a0elements) are now being upgraded by the browser to use HTTPS and are not loaded if they are unavailable via HTTPS.<\/span><\/p>\n

This also introduces a behavior change in our security indicators: Firefox will no longer make use of the tiny warning sign in the lower right corner of the lock icon:<\/span><\/p>\n

\"After<\/a>

After our change. A fully secure lock icon. The image load was successfully upgraded or failed (e.g., Connection Reset).<\/p><\/div>\n

With Firefox 127, all mixed content will either be blocked or upgraded. Making sure that documents transferred with HTTPS remain fully secure and encrypted.<\/p>\n

Enterprise Users<\/span><\/h2>\n

Enterprise users that do not want Firefox to perform an upgrade have the following options by changing the existing preferences:<\/span><\/p>\n