cancel
Showing results for 
Search instead for 
Did you mean: 

Mixed content blocking in Firefox

Firefox protects you from attacks by blocking potentially harmful, insecure content on web pages that are supposed to be secure. Keep reading to learn more about mixed content and how to tell when Firefox has blocked it.

What is mixed content?

HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS, like your bank, you'll see a green padlock icon in the address bar (see How do I tell if my connection to a website is secure? for details). This means that your connection is authenticated and encrypted, hence safeguarded from eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

Note: For more information about mixed content (active and passive), see this blog post.

What are the risks of mixed content?

An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

How can I tell if a page has mixed content?

Look for an icon in your address bar to determine if the page has mixed content.

green lock 52

No mixed content: secure

  • green lock 42 : You’ll see a green lock when you are on a fully secure page. To see if Firefox has blocked parts of the page that are not secure, click the green lock icon. For more information, see the Unblock mixed content section, below.

Mixed content is blocked: secure

  • blocked secure 42 : You'll see a green lock with a grey warning triangle when Firefox has blocked any insecure elements on the page. This means that the page is now secure. Click on the icon to expand the Control Center and see more security details about that page.

Mixed content is not blocked: not secure

  • unblocked mixed content 42 : If you see a lock with a red line over it, Firefox is not blocking insecure elements, and that page is open to eavesdropping and attacks where your personal data from the site could be stolen. Unless you’ve unblocked mixed content using the instructions in the next section, you shouldn’t see this icon.
  • orange triangle grey lock 42 : A grey lock with an orange triangle indicates that Firefox is not blocking insecure passive content. Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they shouldn’t be able to steal your personal data from the site.

Unblock mixed content

Unblocking insecure elements is not recommended, but can be done if necessary:

  1. Click the lock icon in the address bar.
  2. Click the arrow on the Control Center:
    unblock mixed content 42 blocked 52
  3. Click Disable protection for now.
    disable protection 42 disable blocking 52

To enable protection, follow the preceding steps and click Enable protection.

Warning: Unblocking mixed content can leave you vulnerable to attacks.
Developers: If your website is generating security errors because of insecure content, see this MDN article on how to fix a website with mixed content.
Customize this article

Firefox

Firefox for Android

Firefox for iOS

Firefox OS

Thunderbird

Version History
Revision #:
3 of 3
Last update:
3 weeks ago
Updated by:
 
Comments
underpass

Hello, could you please add the "Share" template at the very end of the article? Thanks.

added

thanks

underpass

Hello Swarnava, this article is not yet marked as ready for localization. When are we you going to release it?

Related article discussion:

One big complaint with choosing the "Disable protection on this page" option is that it only works for the current page load. This article doesn't make that very clear.

In Forum Response - Mixed Content we suggest toggling the preference security.mixed_content.block_active_content in about:config (or an add-on to toggle the preference) but this disables mixed content blocking for all websites, which is a bad idea because of the security vulnerability. What users say they want is a way to disable protection for specific websites but there's no way to do that right now.

Related bugs:

  • Bug 902156 - Persist "disable protection" option for Mixed Content Blocker (fixed in Firefox 26)
  • Bug 873349 - Add a whitelist for mixed content blocking
  • Bug 815321 - (MixedContentBlocker) Master Bug for Mixed Content Blocker

Posted in Bug 822373 - Learn More pages for Mixed Content Blocker (comment 21)

Tanvi Vyas [:tanvi] 2015-02-20 13:56:00 PST
Thanks to marko for updating https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=i... with new screenshots.  Since Tracking Protection landed, the shield looks a little different.  The updates are in review.
Looks like the Android page needs updates too since tracking protection changed the UI in androdi as well - https://support.mozilla.org/en-US/kb/how-does-insecure-content-affect-safety-android.  Can someone from SUMO help get screenshots for this?
tanvi

I looked at the Android UI this week and it actually hasn't changed since TP was added, so I no longer thing the android article needs an update.

tanvi

For this article, I'm just waiting for Marko's changes to get approved.

The "green padlock" link that appears in the "What is mixed content?" section of this article is from Template:aboutmixedcontent and needs updating for fx42. Related discussion: https://support.mozilla.org/en-US/kb/templateaboutmixedcontent/discuss/6377 Update "green padlock" link for fx42

Done!

Bug 1285967 - Update green lock with grey triangle icon section paragraph for FF 50+ Quote: ...the disable protection option is clicked very rarely, so we decided to simply the UI and remove the green lock with a grey triangle. (Firefox 50) we will just show the green lock, regardless of whether the page has mixed active content that Firefox has blocked or not.

I set up a Needs change entry.

Here's the related Security bug fixed in Firefox 50:

Bug 1269820 - Remove green lock with grey triangle when Mixed Active Content is Blocked

tanvi

In Firefox 50+, we no longer show the green lock with the grey warning triangle when active mixed content is blocked on a page: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-24-10-9aac9a.png

Instead, we just show the green lock (same as if it were a secure page). The user has to click on the lock and open Control Center in order to see that Mixed Active Content was blocked on the page (to keep the user safe). From the Control Center, they can then disable protection, just as before.

So in these images, the Control Center part looks the same but the green lock+grey triangle icon in the urlbar is replaced with just the green lock: https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-08-17-50-34-098f6b.png https://support.cdn.mozilla.net/media/uploads/gallery/images/2015-10-16-20-31-16-059641.png

The text and images in this article need to be updated accordingly.

Here is a test page where you can try this out: https://mixed-script.badssl.com/

I set up a "Needs change" entry.

P.S. I see a SUMO KB Content bug report was filed and Joni (jsavage) was Need-Info'ed: Bug 1322183 - Mixed Content Support Page needs updating For Firefox 50+

See also this discussion thread (posted August 15, 2016): https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox/discuss/6765 [Fx50] Green lock will be shown on secure pages, whether or not mixed content is blocked

Bogdancev

You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon."

But you forgot about white space before that text.

Богданцев Сергій said

You added text for Fx50: "To see if Firefox blocked any mixed content on the page, click the green lock icon." But you forgot about white space before that text.

For the record:

Revision id: 136223 Created: Dec 13, 2016, 4:48:58 PM Creator: jsavage Comment: updated for 50 Reviewed: Yes Reviewed: Dec 13, 2016, 4:51:10 PM Reviewed by: jsavage Is approved? Yes Is current revision? Yes Ready for localization: Yes Readied for localization: Dec 13, 2016, 4:51:10 PM Readied for localization by: jsavage

I made a new revision to the "No mixed content: secure" section to add more information for fx50. I also added the missing space that was mentioned earlier, after the {for fx50} tag.