We are experimenting with ways to eliminate insecure content on secure pages, while increasing HTTPS adoption. With bug 1435733 <https://bugzilla.mozilla.org/show_bug.cgi?id=1435733>, we are adding an experimental pref to upgrade all mixed passive content. The pref is enabled in Nightly-only by default.
Mixed passive content[1] currently gets loaded in HTTPS pages with a degraded security UI - a grey padlock with a yellow triangle over it. With this change, we will upgrade HTTP mixed passive content (images and media) to HTTPS on secure pages. If the resource doesn’t exist over HTTPS, it will fail to load. The security UI will show the green lock, since no insecure content was loaded on the page. The categorization of mixed passive content we are using is the same as the one defined in the Mixed Content Specification[2]. For example srcset and <picture> won’t be upgraded. Chrome is currently also working to experiment in this area as a plan for a new version of the Mixed Content Specification[3]. The preference to disable this is: "security.mixed_content.upgrade_display_content" which will be enabled in Nighty by default for two weeks. The code will remain in Firefox. Developers and Nightly users can see which content is upgraded in the developer console[4]. We would love to hear feedback and receive breakage reports. Please file bugs here https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=DOM%3A%20Security [1] https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content [2] https://w3c.github.io/webappsec-mixed-content/ [3] https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md [4] https://imgur.com/Ig5QttW _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
