canmove, Confirmed users
285
edits
Security/Features/Mixed Content Blocker: Difference between revisions
Security/Features/Mixed Content Blocker (view source)
Revision as of 20:30, 30 May 2013
, 30 May 2013no edit summary
No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
=== Bugs related to Developer and User Information === | === Bugs related to Developer and User Information === | ||
* https://bugzilla.mozilla.org/show_bug.cgi?id=781018 - Telemetry | * https://bugzilla.mozilla.org/show_bug.cgi?id=781018 - Telemetry | ||
* https://bugzilla.mozilla.org/show_bug.cgi?id=839238 - Lots of Documentation | * https://bugzilla.mozilla.org/show_bug.cgi?id=839238 - Lots of Documentation | ||
* https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - Distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent | * https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - Distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent | ||
| Line 38: | Line 36: | ||
* https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - Mixed content in iframes. | * https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - Mixed content in iframes. | ||
|Feature overview=The Mixed Content Blocker prevents "mixed script" content, defined as mixed content loads of scripts, plugins, and stylesheets, from being loaded into a secure web page. The primary threat model is the active network attacker who modifies the contents of mixed script resources to compromise the integrity of a secure web application. This feature blocks mixed scripts from loading by default, and adds UI that enables a user to reload the page with the insecure content permitted to load. | |Feature overview=The Mixed Content Blocker prevents "mixed script" content, defined as mixed content loads of scripts, plugins, and stylesheets, from being loaded into a secure web page. The primary threat model is the active network attacker who modifies the contents of mixed script resources to compromise the integrity of a secure web application. This feature blocks mixed scripts from loading by default, and adds UI that enables a user to reload the page with the insecure content permitted to load. | ||
Detailed blog posts: | |||
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ | |||
https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/ | |||
|Feature non-goals=To prevent the disclosure of cookies and other sensitive data through mixed display content, such as images, and video. We have a pref, disabled by default, which when enabled would block these loads as well using the same infrastructure. | |Feature non-goals=To prevent the disclosure of cookies and other sensitive data through mixed display content, such as images, and video. We have a pref, disabled by default, which when enabled would block these loads as well using the same infrastructure. | ||
|Feature functional spec=Blocking of the mixed content loads occurs at the nsIContentPolicy level. When such a block occurs, the content policy fires an event at the document containing the mixed content, which causes the browser to display UI notifying the user that content was blocked, and providing the option to reload the page with the mixed content enabled. | |Feature functional spec=Blocking of the mixed content loads occurs at the nsIContentPolicy level. When such a block occurs, the content policy fires an event at the document containing the mixed content, which causes the browser to display UI notifying the user that content was blocked, and providing the option to reload the page with the mixed content enabled. | ||