1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 3.88 out of 5)
Loading ... Loading ...

Firefox’s New Mixed Content Blocker

July 1, 2013 James Labonte

Mozilla just released their new “Mixed Content Blocker” feature in the latest beta release of Firefox. It is a new feature for Firefox, which blocks insecure (HTTP) content that is being served on SSL-secured sites (HTTPS). The Mixed Content Blocker is shown as a shield in the browser bar, to the left of the SSL encryption lock.

The Mixed Content Blocker is a proactive protection measure that stops “active” content from running on SSL-encrypted sites, which can hijack or modify a viewer’s. It will launch officially with Firefox 23 in August. The Mixed Content Blocker will be on by default and will block all insecure “active” content. What is active content? Any content which has the ability to modify the page or browser. This includes JavaScript, CSS, iframes, fonts, objects, and xhr requests.

For sites running insecure active content this does pose a problem, as it will prevent the site from working properly in the next version of Mozilla’s browser. But both Internet Explorer and Chrome have this feature already – so do not worry – if they work there they will work in Firefox 23. In fact, for your site visitors’ who use Firefox they will actually be treated to a kinder message.

In some cases, the Mixed Content Blocker beneficent to sites, because instead of displaying the yellow warning triangle it shows the new shield icon, and in cases in which the Mixed Content Blocker has removed all insecure content, it will allow the regular lock to be displayed.

The below image shows the same URL in Firefox 23 and Chrome, which will look better to users


What this means for your website:

As mentioned above – Chrome and Internet Explorer already have this feature, so if your website works there, it will work in the new version of Firefox.

However, we recommend that you secure all assets on your site to ensure the best protection for your users. Active content needs to be served over HTTPS to have your site function properly in modern browsers, so that is your first priority. Whenever possible also secure static content – such as images, and audio and video files.

To do so, make sure that assets that are being imported or linked are done so with a HTTPS address from a server with SSL. If you use third party services or external assets, many popular services such as Google AdWords, Fonts.com, and more, provide HTTPS versions of their content.

If you are a web developer you can easily check what content on your site is insecure by checking your site on www.WhyNoPadlock.com (Or Ctrl+Shift+J in Chrome). Remember, html links do not affect if a site is shown as secure.

Comments are closed.