Mixed content blocker in Firefox for Android

No one has helped translate this article yet. If you already know how localizing for SUMO works, start translating now. If you want to learn how to translate articles for SUMO, please start here.

This feature has been improved in the latest version of Firefox for Android. Update Firefox for Android to use the improved version.

When you see the shield icon in the address bar, it means that Firefox for Android has blocked content that is insecure on the page you're visiting. We'll explain what that means and what options you have.

mixed content on android

What is mixed content?

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS (green padlock in the address bar), like your bank, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

Note: For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content?

An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

What options do I have?

Most websites will continue to work normally without any action on your part.

If you need to allow the mixed content to be displayed, you can do that easily:

  1. Tap the shield icon Mixed Content Shield in the address bar and a menu will drop down.
  2. Then tap Disable protection.
    Disable mixed content Android
    • The icon in the address bar will change to a crossed out shield icon to remind you that insecure content is being displayed.
android insecure not 42

To reverse the previous action (re-block mixed content), re-visit the page in a new tab.

Firefox automatically protects you from attacks by blocking potentially harmful insecure content on pages. Firefox will display a grey warning triangle or crossed-out lock to indicate that mixed content has loaded on the page.

What is mixed content?

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS (green padlock in the address bar), like your bank, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

Note: For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content?

An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

How do I know if a page has mixed content?

If you see the green lock icon in the address bar, the page is secure. If the page had any insecure elements, Firefox already blocked them to keep the page secure. Tap the icon to view more security information, and see whether or not Firefox had blocked any insecure elements.

tap lock icon 42 android

Firefox will display a grey warning triangle when insecure passive content is present and loaded on a page. If you see this icon, be aware that attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they shouldn’t be able to steal your personal data from the site.

warning triangle 42 android

If you see a lock with a red line over it, Firefox is not blocking insecure elements, and that page is open to eavesdropping and attacks where your personal data from the site could be stolen. Unless you’ve unblocked mixed content using the instructions in the next section, you shouldn’t see this icon.

mixed content off 42 android

Advanced users only: unblock mixed content

If you need to unblock mixed content, you can do that by changing your about:config settings. This setting will affect all the pages you visit:

  1. Go to about:config.
  2. Change the security.mixed_content.block_active_content setting to false to unblock HTTP content.
  3. You'll know when Firefox is not blocking potentially harmful insecure content when you see the lock icon with a red line across it:
    mixed content off 42 android
Warning: Unblocking mixed content can leave you vulnerable to attacks.
Developers: If your website is generating security errors because of insecure content, see this MDN article on how to fix a website with mixed content.


Share this article: http://mzl.la/1NgcmvN

Bu məqalə xeyirli oldu? Please wait...

Bu yaxşı insanlar məqalənin yazılmasına kömək ediblər: underpass, Tonnes, rtanglao, Verdi, feer56, soucet, amitshree, tanvi, ouesten, jsavage. Siz də köməkçi ola bilərsiz - necə edəcəyinizi öyrənin.