Mixed content blocking in Firefox

Revision Information
  • Revision id: 136223
  • Created:
  • Creator: Joni
  • Comment: updated for 50
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: heyjoni
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: Yes
  • Readied for localization:
  • Readied for localization by: heyjoni
Revision Source
Revision Content

Firefox protects you from attacks by blocking potentially harmful, insecure content on web pages that are supposed to be secure. Keep reading to learn more about mixed content and how to tell when Firefox has blocked it.

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS, such as your bank, you'll see a padlockgreen padlock Fx57GreenPadlockpadlock Fx70GreyPadlock icon in the address bar (For details, see How do I tell if my connection to a website is secure?). This means that your connection is authenticated and encrypted, and thus safeguarded from both eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't. For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content? An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

How can I tell if a page has mixed content?

Look for an icon in your address bar to determine if the page has mixed content.

green lock 52

No mixed content: secure

  • green lock 42: You’ll see a green lock when you are on a fully secure page.To see if Firefox blocked any mixed content on the page, click the green lock icon.

Mixed content is blocked: secure

  • blocked secure 42: You'll see a green lock with a grey warning triangle when Firefox has blocked any insecure elements on the page. This means that the page is now secure. Click on the icon to expand the Control Center and see more security details about that page.

Mixed content is not blocked: not secure

  • unblocked mixed content 42: If you see a lock with a red line over it, Firefox is not blocking insecure elements, and that page is open to eavesdropping and attacks where your personal data from the site could be stolen. Unless you’ve unblocked mixed content using the instructions in the next section, you shouldn’t see this icon.
  • orange triangle grey lock 42: A grey lock with an orange triangle indicates that Firefox is not blocking insecure passive content. Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they shouldn’t be able to steal your personal data from the site.

Unblock mixed content

Unblocking insecure elements is not recommended, but can be done if necessary:

  1. Click the lock icon in the address bar.
  2. Click the arrow on the Control Center:
    unblock mixed content 42blocked 52
  3. Click Disable protection for now.
    disable protection 42disable blocking 52

To enable protection, follow the preceding steps and click Enable protection.

Warning: Unblocking mixed content can leave you vulnerable to attacks.
Developers: If your website is generating security errors because of insecure content, see this MDN article on how to fix a website with mixed content.