Compare Revisions

Firefox automatically blocks insecure or mixed content from secure web pages. We'll explain what that means and what options you have.

Firefox protects you from attacks by blocking potentially harmful, insecure content on web pages that are supposed to be secure. Keep reading to learn more about mixed content and how to tell if Firefox has blocked it. __TOC__ =What is mixed content and what are the risks?= <!-- Localizers: The content in this template originally came directly from the original mixed content article - https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety --> HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and [https://wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle attacks]. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured. When you visit a page fully transmitted over HTTPS, such as your bank, you'll see a {for not fx70}green padlock icon [[Image:Fx57GreenPadlock]]{/for}{for fx70} padlock icon [[Image:Fx70GreyPadlock]]{/for} in the address bar (For details, see [[How do I tell if my connection to a website is secure?]]). This means that your connection is authenticated and encrypted, and thus safeguarded from both eavesdroppers and man-in-the-middle attacks. However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't. For more information about mixed content (active and passive), see [https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23 this blog post]. {warning}'''What are the risks of mixed content?''' An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.{/warning} =How can I tell if a page has mixed content?= There are two types of mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level. Look for a padlock icon in your address bar to determine whether the page has mixed content. {for fx70}[[Image:FF70 Gray Padlock]]{/for}{for not fx70}[[Image:Fx69GreenPadlockWithShield]]{/for} {note}'''Note:''' The shield icon [[Image:Address bar shield]] in the address bar tells you which trackers have been blocked on a website. See {for not fx70}[[Content blocking]]{/for}{for fx70}[[Enhanced Tracking Protection in Firefox for desktop|Enhanced Tracking Protection]]{/for} for more information.{/note} ==No mixed content: secure== *{for fx70}[[Image:Gray padlock - Firefox 70]]{/for}{for not fx70}[[Image:green lock 42]]{/for}: You’ll see a {for fx70}gray{/for}{for not fx70}green{/for} padlock when you are on a fully secure (HTTPS) page. To see if Firefox has blocked parts of the page that are not secure, click the {for fx70}gray{/for}{for not fx70}green{/for} padlock. For more information, see the [[#w_unblock-mixed-content|Unblock mixed content]] section below. ==Mixed content is not blocked: not secure== *[[Image:unblocked mixed content 42]]: If you see a padlock with a red line over it, the page contains mixed active content and Firefox is not blocking insecure elements. That page is open to eavesdropping and attacks where your personal data from the site could be stolen. Unless you’ve unblocked mixed content using the instructions in the next section, you shouldn’t see this icon on a secure (HTTPS) website. '''Note''': A padlock with a red line is also shown on {for fx70}unencrypted (HTTP or FTP) websites{/for}{for not fx70}an [[Insecure password warning in Firefox|unencrypted (HTTP) login page]]{/for}. *[[Image: orange triangle grey lock 42]]: A gray padlock with an orange or yellow triangle indicates that Firefox is not blocking insecure passive content, such as images. By default, Firefox does not block mixed passive content; you will simply see a warning that the page isn't fully secure. Attackers may be able to manipulate parts of the page like displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site. For more information about mixed active and passive content, see [https://developer.mozilla.org/docs/Web/Security/Mixed_content this Mozilla Developer Network article]. =Unblock mixed content= Unblocking insecure elements is not recommended but can be done, if necessary: #Click the lock icon in the address bar. #Click the arrow on the Control Center: #;{for fx70}[[Image:FF70 Mixed Content]]{/for}{for not fx70}[[Image:Fx63MixedContent]]{/for} #Click {button Disable protection for now}. #;{for fx70}[[Image:FF70 Disable Protection]] {/for}{for not fx70}[[Image:Fx63MixedContent-DisableProtection]]{/for} To enable protection, follow the preceding steps and click {button Enable protection}. {warning}'''Warning:''' Unblocking mixed content can leave you vulnerable to attacks.{/warning} {note}'''Developers:''' If your website is generating security errors because of insecure content, see this MDN article on [https://developer.mozilla.org/docs/Security/MixedContent/How_to_fix_website_with_mixed_content how to fix a website with mixed content].{/note}