Firefox 23 to block insecure contents from being loaded on https pages

[shamu726]

If you are a veteran Firefox user you may remember that Mozilla implemented options to block insecure contents from being loaded on https pages in Firefox 18. The feature has been disabled by default in the version of the browser and users who wanted to increase the security of it had to change the values of its parameters manually to do so.

So what does it do if enabled? Whenever you connect the browser to a secure webpage using SSL - you can confirm that by making sure the web address starts with https - only contents that use SSL should be loaded for security purposes. Websites sometimes load insecure contents, say a script using an http connection on secure sites. That's a security issue right there and the setting introduced in Firefox 18 prevents this from happening if enabled.

Here is a visualization of how this looks like. The insecure script that is loaded inside the secure iframe is not loaded when the feature is enabled.

After rigorous testing Mozilla decided to enable one of the two mixed content preferences in Firefox 23 by default. Firefox 23 is currently the version of the Nightly channel and it will take months before stable users of the browser will be upgraded to that version. Still, it is important to know that this is going to happen eventually.

The developers have integrated two mixed content preferences into the browser:

• security.mixed_content.block_active_content - This preferences blocks active contents including scripts, plug-in contents, inline frames, Web fonts and WebSockets from being loaded on secure websites if they are offered via insecure connections.
• security.mixed_content.block_display_content - The second preference adds static display related contents to the blocked content list. This includes image, audio and video files

If you are running Firefox 18 or newer, you may modify the preferences at any time. Let me show you how to do so.

• Type about:config into the browser's address bar and hit the enter key.
• Confirm that you will be careful if this is the first time you are opening the page.
• Use the search form at the top to filter for security.mixed which should display only the two parameters above.
• A value of True means they are active, while False indicates that they are not enabled.
• To modify the value double-click the parameter.

So, if you want to improve the security of your browser right away, set the active content parameter to true right away.

Source: Ghacks

[psyko666]

Meh.. Nightly already does the job... ;)

[Airstream_Bill]

Thanks for the post. Mine for the moment is now set to true. INTERESTING!

[RobrPatty]

Thanks shamu726.

[SacredCultivator]

Tested and was wondering if that may be why my SkipScreen + Social Fixer (userscript) didn't work. But tried flipping the switches and nothing.

Dang getting errors from both of those for some time now.

[ande]

Default values: