Intent to Ship: Mixed Content: upgrading of passive mixed content to HTTPS

448 views
Skip to first unread message

Frederik Braun

unread,
May 3, 2024, 8:58:02 AMMay 3
to dev-pl...@mozilla.org

Intent to Ship: Mixed Content: upgrading of passive mixed content to HTTPS


Summary: Currently, Firefox is loading passive mixed content. These are loads of type image, audio and video with an HTTP URL while the top-level document load is over HTTPS. With this feature, we will automatically upgrade image, audio and video elements to HTTPS. There will be no fallback to HTTP. If such a subresource is unavailable over HTTPS, it will just not load. This aligns us with the latest revision of the Mixed Content specification. - This feature is currently undergoing a gradual roll-out, where up to 40% of our users are already experiencing this behavior.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1811787 

Specification: https://www.w3.org/TR/mixed-content/ (Candidate Recommendation)

Standards Body: W3C WebAppSec WG

Platform coverage: All Gecko (Windows, Linux, macOS, Android)

Preference: The pref security.mixed_content.upgrade_display_content will be set to true.

DevTools: We already log the URL to the console when we perform an upgrade.

Other browsers

web-platform-tests: Already existing under mixed-content/. We added some for additional corner cases (request destination “imageset”, CORS mode requests).

This feature is already enabled in Nightly-only as mentioned in this thread: https://groups.google.com/a/mozilla.org/g/dev-platform/c/hEwtZEF47NY/m/Onth2N_iBQAJ and also discussed in this "Intent to prototype" thread:  https://groups.google.com/g/mozilla.dev.platform/c/F163Jz32oYY


Best,

Freddy



P.S: Kudos to our previous student Tomer Yavor. Without his work, this would not be possible.

Reply all
Reply to author
Forward
0 new messages