Mixed content blocker in Firefox for Android

Revision Information
  • Revision id: 105484
  • Created:
  • Creator: Joni
  • Comment: needs vetting by product team; added doorhanger
  • Reviewed: No
  • Ready for localization: No
Revision Source
Revision Content

The template "ApplyToFx" does not exist or has no approved revision.

When you see the shield icon in the address bar, it means that Firefox for Android has blocked content that is insecure on the page you're visiting. We'll explain what that means and what options you have.

mixed content on android

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS, such as your bank, you'll see a padlockgreen padlock Fx57GreenPadlockpadlock Fx70GreyPadlock icon in the address bar (For details, see How do I tell if my connection to a website is secure?). This means that your connection is authenticated and encrypted, and thus safeguarded from both eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't. For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content? An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

What options do I have?

Most websites will continue to work normally without any action on your part.

If you need to allow the mixed content to be displayed, you can do that easily:

  1. Tap the shield icon Mixed Content Shield in the address bar and a menu will drop down.
  2. Then tap Disable protection.
    Disable mixed content Android
    • The icon in the address bar will change to an orange warning triangle Warning Identity Icon to remind you that insecure content is being displayed.

To reverse the previous action (re-block mixed content), re-visit the page in a new tab.

Firefox automatically protects you from attacks by blocking insecure content on pages. Firefox will display a lock icon or an orange warning triangle to indicate that mixed content is present on the page.

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS, such as your bank, you'll see a padlockgreen padlock Fx57GreenPadlockpadlock Fx70GreyPadlock icon in the address bar (For details, see How do I tell if my connection to a website is secure?). This means that your connection is authenticated and encrypted, and thus safeguarded from both eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't. For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content? An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

How do I know if the Mixed Content Blocker is working?

Firefox will display a lock icon in the address bar when it has blocked insecure content that can potentially be manipulated to steal your information.

mixed content lock android 42

Firefox will display a warning triangle when it has blocked insecure display content (such as images).

warning triangle 42 android

Tap the icon to view more security information about that page:

tap lock icon 42 android

Advanced users only: unblock mixed content

If you need to unblock mixed content, you can do that by changing your about:config settings:

  1. Go to about:config.
  2. Change the security.mixed_content.block_active_content setting to false to unblock HTTP content that can be modified.
  3. To unblock HTTP display content, change the security.mixed_content.block_display_content setting to false.

You'll know when Firefox is not blocking insecure content when you see the lock icon with a red line across it:

mixed content off 42 android


Warning unblocking mixed content can leave you vulnerable to attacks.