Security/Features/Mixed Content Blocker: Difference between revisions

}}

{{FeaturePageBody

* https://bugzilla.mozilla.org/show_bug.cgi?id=834828 - Make mixed content blocker more discoverable

* https://bugzilla.mozilla.org/show_bug.cgi?id=834830 - Strike through https

* v2 Technical Information section that shows what is blocked.

* https://bugzilla.mozilla.org/show_bug.cgi?id=837351 - Webconsole + Error Console alerts when Mixed Content is Blocked

* https://bugzilla.mozilla.org/show_bug.cgi?id=781018 - Telemetry

* https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - Distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent

* https://bugzilla.mozilla.org/show_bug.cgi?id=418354, https://bugzilla.mozilla.org/show_bug.cgi?id=456957 - Redirects

* https://bugzilla.mozilla.org/show_bug.cgi?id=815345 - Session Restore and document.write

* https://bugzilla.mozilla.org/show_bug.cgi?id=838395 - Relying on HSTS to prevent Mixed Content

* https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - Mixed content in iframes.

|Feature overview=The Mixed Content Blocker prevents "mixed script" content, defined as mixed content loads of scripts, plugins, and stylesheets, from being loaded into a secure web page.  The primary threat model is the active network attacker who modifies the contents of mixed script resources to compromise the integrity of a secure web application.  This feature blocks mixed scripts from loading by default, and adds UI that enables a user to reload the page with the insecure content permitted to load.

|Feature non-goals=To prevent the disclosure of cookies and other sensitive data through mixed display content, such as images, and video.  We have a pref, disabled by default, which when enabled would block these loads as well using the same infrastructure.