This forum is a discussion about improving the "Mixed content blocking in Firefox" article. If you'd like to participate, please register.

If you need help with Firefox, please ask a question.

Changes to Mixed Content icons in Firefox 50

  • 9 Replies
  • Last reply by AliceWyman
  1. tanvi 0 posts
    Report Abuse

    In Firefox 50+, we no longer show the green lock with the grey warning triangle when active mixed content is blocked on a page: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-24-10-9aac9a.png

    Instead, we just show the green lock (same as if it were a secure page). The user has to click on the lock and open Control Center in order to see that Mixed Active Content was blocked on the page (to keep the user safe). From the Control Center, they can then disable protection, just as before.

    So in these images, the Control Center part looks the same but the green lock+grey triangle icon in the urlbar is replaced with just the green lock: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-08-17-50-34-098f6b.png https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-31-16-059641.png

    The text and images in this article need to be updated accordingly.

    Here is a test page where you can try this out: https://mixed-script.badssl.com/

    In Firefox 50+, we no longer show the green lock with the grey warning triangle when active mixed content is blocked on a page: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-24-10-9aac9a.png Instead, we just show the green lock (same as if it were a secure page). The user has to click on the lock and open Control Center in order to see that Mixed Active Content was blocked on the page (to keep the user safe). From the Control Center, they can then disable protection, just as before. So in these images, the Control Center part looks the same but the green lock+grey triangle icon in the urlbar is replaced with just the green lock: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-08-17-50-34-098f6b.png https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-31-16-059641.png The text and images in this article need to be updated accordingly. Here is a test page where you can try this out: https://mixed-script.badssl.com/
  2. AliceWyman 4857 posts
    Report Abuse

    I set up a "Needs change" entry.

    I set up a "Needs change" entry.
  3. AliceWyman 4857 posts
    Report Abuse

    P.S. I see a SUMO KB Content bug report was filed and Joni (jsavage) was Need-Info'ed: Bug 1322183 - Mixed Content Support Page needs updating For Firefox 50+

    See also this discussion thread (posted August 15, 2016): https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox/discuss/6765 [Fx50] Green lock will be shown on secure pages, whether or not mixed content is blocked

    P.S. I see a SUMO KB Content bug report was filed and Joni (jsavage) was Need-Info'ed: [https://bugzilla.mozilla.org/show_bug.cgi?id=1322183 Bug 1322183] - Mixed Content Support Page needs updating For Firefox 50+ See also this discussion thread (posted August 15, 2016): https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox/discuss/6765 [Fx50] Green lock will be shown on secure pages, whether or not mixed content is blocked
  4. Богданцев Сергій 111 posts
    Report Abuse

    You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon."

    But you forgot about white space before that text.

    You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon." But you forgot about white space before that text.
  5. AliceWyman 4857 posts
    Report Abuse

    Богданцев Сергій said

    You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon." But you forgot about white space before that text.

    For the record:

    Revision id: 136223 Created: Dec 13, 2016, 4:48:58 PM Creator: jsavage Comment: updated for 50 Reviewed: Yes Reviewed: Dec 13, 2016, 4:51:10 PM Reviewed by: jsavage Is approved? Yes Is current revision? Yes Ready for localization: Yes Readied for localization: Dec 13, 2016, 4:51:10 PM Readied for localization by: jsavage

    ''Богданцев Сергій [[#post-14896|said]]'' <blockquote> You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon." But you forgot about white space before that text. </blockquote> For the record: Revision id: 136223 Created: Dec 13, 2016, 4:48:58 PM Creator: jsavage Comment: updated for 50 Reviewed: Yes Reviewed: Dec 13, 2016, 4:51:10 PM Reviewed by: jsavage Is approved? Yes Is current revision? Yes Ready for localization: Yes Readied for localization: Dec 13, 2016, 4:51:10 PM Readied for localization by: jsavage
  6. AliceWyman 4857 posts
    Report Abuse

    I made a new revision to the "No mixed content: secure" section to add more information for fx50. I also added the missing space that was mentioned earlier, after the {for fx50} tag.

    I made a new revision to the "No mixed content: secure" section to add more information for fx50. I also added the missing space that was mentioned earlier, after the {for fx50} tag.
    Modified by AliceWyman on
  7. Tonnes 59 posts
    Report Abuse

    This may be an old thread, but I wonder if the text should be updated according to these changes as recently some support questions came up where users think they are not able to unblock content. What happens is they see the grey padlock and yellow triangle, which would mean Firefox is not actively blocking content IIUC (if that’s still possible at all) but merely showing a warning about it being displayed. They may be confused by the Connection is Not Secure message. Thoughts?

    This may be an old thread, but I wonder if the text should be updated according to these changes as recently some support questions came up where users think they are not able to unblock content. What happens is they see the grey padlock and yellow triangle, which would mean Firefox is not actively blocking content IIUC (if that’s still possible at all) but merely showing a warning about it being displayed. They may be confused by the Connection is Not Secure message. Thoughts?
  8. AliceWyman 4857 posts
    Report Abuse

    What text do you want to change and what would you suggest? Test page: https://mixed.badssl.com/

    What text do you want to change and what would you suggest? Test page: https://mixed.badssl.com/
  9. AliceWyman 4857 posts
    Report Abuse

    Tonnes said

    They may be confused by the Connection is Not Secure message. Thoughts?

    Image:Fx59MixedContent-warning

    Fx59MixedContent-warning

    P.S. Posted Jan 9, 2018 by cor-el in https://support.mozilla.org/en-US/questions/1198894#answer-1062321 (quote) Mixed passive content like images (block_display_content) isn't blocked by default, but you will merely see the warning that the page isn't secure because such content is allowed.<snip> See also: https://developer.mozilla.org/Security/MixedContent

    From https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content {quote} Types of mixed content

    There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc. Mixed passive/display content

    Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.

    ''Tonnes [[#post-16510|said]]'' <blockquote> They may be confused by the Connection is Not Secure message. Thoughts? </blockquote> Image:Fx59MixedContent-warning ;[[Image:Fx59MixedContent-warning]] P.S. Posted Jan 9, 2018 by cor-el in https://support.mozilla.org/en-US/questions/1198894#answer-1062321 (quote) ''Mixed passive content like images (block_display_content) isn't blocked by default, but you will merely see the warning that the page isn't secure because such content is allowed.<snip> See also: https://developer.mozilla.org/Security/MixedContent '' From https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content {quote} '''''Types of mixed content''''' ''There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc. '''''Mixed passive/display content''''' ''Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.''
    Modified by AliceWyman on
  10. AliceWyman 4857 posts
    Report Abuse

    I have a new revision pending review, to add more information on mixed active and mixed passive content, including a link to the https://developer.mozilla.org/docs/Web/Security/Mixed_content Mozilla Developer Network article.

    I have a new revision pending review, to add more information on mixed active and mixed passive content, including a link to the https://developer.mozilla.org/docs/Web/Security/Mixed_content Mozilla Developer Network article.