Mixed SSL content not blocked by Firefox
This is a long standing problem for Firefox and makes me stay away from it for any online commerce/banking transactions. Internet Explorer is the safest in this case as it gives the user an option to block the insecure content before loading it, but Firefox just shows a useless mixed content warning but still loads the insecure page. I have seen bugzilla items pointing to this and Mozilla's stringent 'NO' to fixing this glaring security hole. I want to know when this issue will be resolved and what is Mozilla doing in the interim to thwart problems with such sites?
Additional System Details
- Google Update
- Shockwave Flash 11.4 r402
- Adobe PDF Plug-In For Firefox and Netscape 10.1.4
- Adobe Shockwave for Director Netscape plug-in, version 22.214.171.1245
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
hey techybrainz, this is probably the wrong place to get this question answered, since it is essentially a users-helping-users forum & developers won't read here... please go to firefox > help > send feedback to make suggestions or request features.
but from what i can read out of the relevant bugzilla entries, there is no 'NO' on this item, quite the opposite ("We really want this, but we need the core bugs fixed to allow this..."). those outstanding core-bugs apparently got fixed and will land in firefox 18, so there is a good chance that this can actually be implemented afterwards...
Hey madperson, thanks for the quick and encouraging response. Excuse me for the delayed response. Have put a complaint via the Help->Feedback method. Must admit that I am a bit surprised that none of the devs give this forum a visit. 321022 is the one I was referring in bugzilla. I see that the dependencies are crossed out as done (you are right, and its vide Firefox 18) around September, but there is no traction on implementing 321022 as its still un-assigned.
Modified by techybrainz
See also bug 62178 (implement mechanism to prevent sending insecure requests from a secure context)
in about:config you can toggle security.mixed_content.block_active_content & security.mixed_content.block_display_content to true, at a later stage there will also be a visual UI created fro mixed content (see bug #782654 & the design specs pdf)