Firefox 60: HTTPS upgrade for Mixed Content - gHacks Tech News

Firefox 60: HTTPS upgrade for Mixed Content

Mozilla plans to launch a new feature in Firefox 60 that upgrades optionally-blockable mixed content on HTTPS sites to HTTPS if possible.

The migration to an HTTPS powered World Wide Web is in full swing. One of the byproducts of the migration is that some sites may load HTTPS and HTTP content. This is called Mixed Content and it is undesirable as it reduces security and privacy if loaded.

Mixed Content is divided into blockable and optionally-blockable content. Modern web browsers block any content that may interfere with the display of data on HTTPS web pages if it is loaded using HTTP.

Think of a script that is loaded from an HTTP resource on an HTTPS site. Browsers don't block optionally-blockable content usually on the other hand. This is static content such as images or videos that can't interfere with the web page or data directly.

Firefox displays a different lock symbol on sites with mixed content that is optionally blockable. The browser displays a green lock symbol on HTTPS sites without mixed content.

While optionally-blockable mixed content is less dangerous than blockable mixed content, it is still problematic from a privacy point of view.

HTTPS upgrade for Mixed Content in Firefox

firefox security.mixed_content.upgrade_display_content

Mozilla Firefox 60 includes a feature that changes the browser's behavior when it comes to mixed content that is optionally blockable.

Firefox attempts to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains. If the resource cannot be loaded, it is not displayed at all. This can lead to image, video or audio content not being shown correctly in the browser because of the change.

The limitation is likely the main reason why Mozilla won't activate the feature by default in Firefox 60.

The feature won't be enabled by default in Firefox 60 but users can set it to enabled in the following way:

  1. Load about:config?filter=security.mixed_content.upgrade_display_content in the Firefox address bar.
  2. Double-click on the preference to set it to true.

You can revert the change at any time by setting the preference to false, or by right-clicking on it and selecting the reset option from the context menu.

Now You: Do you care about mixed content? (via Sören)

Related articles

Summary
Firefox 60: HTTPS upgrade for Mixed Content
Article Name
Firefox 60: HTTPS upgrade for Mixed Content
Description
Mozilla plans to launch a new feature in Firefox 60 that upgrades optionally-blockable mixed content on HTTPS sites to HTTPS if possible.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. d3x said on February 24, 2018 at 11:35 am
    Reply

    This way of approaching problem is wrong. Admins should fix this themselves on their website.

    1. Zim said on February 24, 2018 at 12:05 pm
      Reply

      They wouldn’t, that has never happened. The move to HTTPS has been browser-driven from the start. Certificate authorities themselves have to answer to major browsers when they mess up security wise.

    2. Fx0 said on February 24, 2018 at 1:41 pm
      Reply

      Be realistic. A lot of admins don’t do that and HTTPS is important for the security and privacy of the user. So it’s the right approach because resources are very often also available via HTTPS even if referenced via HTTP. So good move from Mozilla from the user’s point of view.

  2. Tom Hawack said on February 24, 2018 at 11:51 am
    Reply

    Martin, I’m afraid I don’t quite understand the implications of,

    “Mozilla plans to launch a new feature in Firefox 60 that upgrades optionally-blockable mixed content on HTTPS sites to HTTPS if possible.”

    Upgrade? Does this mean that Firefox will attempt to switch to https mixed-content originally called with http? And if that fails, will it block the mixed content or revert to http?

    Here, concerning mixed-content, default Firefox settings (except one modification,

    // MIXED CONTENT
    // disable insecure active content on https pages – mixed content
    user_pref(“security.mixed_content.block_active_content”, true); // Default = true
    // disable insecure passive content (such as images) on https pages – mixed context
    user_pref(“security.mixed_content.block_display_content”, false); // Default = false
    // enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
    // user_pref(“security.mixed_content.use_hsts”, true); // Default = false, I leave it false
    user_pref(“security.mixed_content.send_hsts_priming”, false); // Default = true

    As always I refer to Pants’ Ghacks-userjs settings.

      1. Tom Hawack said on February 24, 2018 at 2:08 pm
        Reply

        Google’s Group indeed states “If the resource doesn’t exist over HTTPS, it will
        fail to load. [regarding mixed passive content unavailable via https after testing]”

        I remain a bit surprised as I’ve always considered that if non-secured Mixed Active Content should be blocked (and it is by default on Firefox), on the other hand non-secured Mixed Passive Content had no serious reason to be blocked (and it isn’t on Firefox at this time).

        That Firefox 60 plans to start Mixed Passive Content with https is great, but blocking it in case it fails to load via https surprises me. At this time much passive content transits only through http…

    1. Martin Brinkmann said on February 24, 2018 at 1:51 pm
      Reply

      Tom, yes, it attempts to load the resource from HTTPS instead of the referenced HTTP. If that does not work, it blocks the resource. Not sure why they don’t fall back to HTTP in that case though.

    2. Tom Hawack said on February 24, 2018 at 1:58 pm
      Reply

      Thanks @Jessica @Martin.
      I’ll have a look at the the Google Groups link.

      1. Jessica said on February 24, 2018 at 4:37 pm
        Reply

        Note that this is an experiment and the setting is enabled only in Nightly by default temporarily to gather some feedback, as per the thread I linked to.

  3. Kubrick said on February 24, 2018 at 12:20 pm
    Reply
  4. Richard Allen said on February 24, 2018 at 1:03 pm
    Reply

    Looks to me like the default for the preference is true which is what I’m seeing in my Nightly install. Also, in the screenshot it looks like the text is not in bold.

    Anyway, I wanted to test the preference and can’t find a website that uses mixed content. Instead of the new option being ahead of its time maybe it’s day late and two dollars short? LoL

    1. Tom Hawack said on February 24, 2018 at 1:56 pm
      Reply

      @Richard, I have two linnks which you may find interesting:

      Mixed content Test (Bennish) [https://www.bennish.net/mixed-content.html]
      Mixed Content Test (Mozilla) [https://people.mozilla.org/~mkelly/mixed_test.html]
      – -> [People.mozilla.org] was DOWN at ~2018-02-24-12:30 GMT

      1. Richard Allen said on February 24, 2018 at 2:28 pm
        Reply

        Thank you sir! I bookmarked the first link and the second one was down for me also.

        Is mixed content even a thing anymore? I opened dozens of my bookmarks and am yet to see a website that uses mixed content.

  5. Richard Allen said on February 24, 2018 at 4:02 pm
    Reply

    I went through my bookmarks again and found some that use mixed content and they are: Feedly and MIT Technology Review. Oh, and the link posted by @Jessica led me to Google Assistant.

    The new preference is working like it should on the three websites mentioned above and they all show that they are secure. If I didn’t open the browser console I would never be able to tell that the insecure content was upgraded and the page load times seem to be unaffected. I’m kind of impressed by how well it works on my end.

  6. InGSoC said on February 24, 2018 at 6:51 pm
    Reply

    Hello there,

    as long as we cannot hide completely through a Stealthcap implemented in any Browser, we are visible, sooo…?

    What’s the Deal? Secure? Nonsecure, what does that gonna prove, hmmm?

    Thee Internet is NOT programmed to be invisible, so, i do not generally understand all that, this

    and that Company plans to do this and that.

    Replicants are like any other Machines, wheteher they are a Benefit or a Hazard.

    If they are a Benefit, not my Problem, GG

    Greets, InGSoC.

    1. Tom Hawack said on February 24, 2018 at 7:08 pm
      Reply

      Privacy and security. Upgrading “optionally-blockable mixed content on HTTPS sites to HTTPS if possible” concerns security. I understand your opinion regarding privacy on the Web but security is maybe a less controversial topic.

  7. InGSoC said on February 24, 2018 at 7:17 pm
    Reply

    Hihi,

    if i wouldn’t have an Interest in Anagrams, i’ like to say Tomahwack is false written.

    It’s without theee C, but,…that’s only mee Opinion.

    Greets, InGSoC.

    1. Tom Hawack said on February 24, 2018 at 7:26 pm
      Reply

      I’m French, not Belgian!

  8. John said on February 25, 2018 at 6:59 pm
    Reply

    Better to side with being safe and all https then mixed mode risking a lot. Browser doing right by users to force https and notify of issues or even block eventually. Let the web sites fix what’s wrong and side on security. Still cannot believe how many sites still not https even technology sites you would think would be ahead of the came and know the importance.

    1. John Fenderson said on February 26, 2018 at 5:54 pm
      Reply

      @John: “Better to side with being safe and all https then mixed mode risking a lot.”

      Best of all is allowing users to make those sorts of decisions for themselves. Browsers shouldn’t be forcing anybody to do anything. Encouraging, sure. Making the default behavior “safe”, fine. Forcing, though, is completely unacceptable.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.