Prepare your https sites for Firefox 23

By Chris Duckett in Australian Technology, April 9, 2013, 2:47 PM PST // @dobes

An upcoming release of Firefox will prevent non-SSL non-display content loading on SSL pages.

One of the lingering "why do they do that" features of the internet is finally, albiet slowly, becoming a thing of the past: The loading of non-secured content on a secured page.

On May 23, Firefox 23 will be released, and by default, it will block any non-SSL content loading on an SSL page.

This means that any scripts, CSS, plugin contents, inline frames, fonts, or WebSockets that are loading with http instead of via https protocol will spark a notification to life.

Avoiding this mechanism will be images, video, or audio.

Which is good news for the unseemly side of the internet, in that it will still be possible to attack "secured" web pages via display content.

For the rest of us, it's means that if you run an SSL site, make sure it loads all of its content from an appropriate protocol.

By switching the security.mixed_content.block_active_content option in a copy of Firefox later than version 18, you can have it operate like Firefox 23 by default. For those that do not keep up with Firefox release numbers (who does?), that means the latest version of Firefox, 20, has it.

About Chris Duckett

Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...

3 comments

Newest | Oldest

Deadly Ernest

basis as I have been doing for years with certain plug in, as have a lot of other FF users. It does beat the hell out of being asked by MS Internet Explorer if you trust a web site every time you visit it after they stop paying for a MS approved certificate. Even when I tell MSIE I trust the site and to let ti happen, it will ask again the very next session. The funny thing about MSIE constabtly asking me about the site that no longer pays for an MS approved security certificate is the system it happens on is a Win 7 Enterprise system that belongs to an International non profit organisation I do volunteer work for and the system accesses the organisations website throough a VPN into their server and the hits the web pages or goes out via their gateway. FF asked the first time I hit the site and never again as I said I trusted it, but MSIE has to annoy me by asking every time I open the browser.

Jan.

The fix for this: Use protocol-less links Instead of linking to content/assets with http:// link to content with just // which allows you to use a single reference that works on both HTTP and HTTPS pages. "The main caveat to keep in mind when using the protocol-less reference is that it will fail on pages loaded via file:/// (i.e. HTML pages you load directly from disk to your browser). So, do be sure to include the http: protocol in the URL if you happen to be developing without a web server at all, but dont worry about omitting it otherwise."

Gisabun

I guess no one cares about Firefox. :-) [Think about it: Microsoft or Google decides on a change like this, everyone is up in arms. Mozilla for Firefox? Nothing.

Conversation powered by LiveFyre

Add your Comment