Intent to Ship: Mixed Content: upgrading of passive mixed content to HTTPS
Frederik Braun
Intent to Ship: Mixed Content: upgrading of passive mixed content to HTTPS
Summary: Currently, Firefox is loading passive mixed content. These are loads of type image, audio and video with an HTTP URL while the top-level document load is over HTTPS. With this feature, we will automatically upgrade image, audio and video elements to HTTPS. There will be no fallback to HTTP. If such a subresource is unavailable over HTTPS, it will just not load. This aligns us with the latest revision of the Mixed Content specification. - This feature is currently undergoing a gradual roll-out, where up to 40% of our users are already experiencing this behavior.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1811787
Specification: https://www.w3.org/TR/mixed-content/ (Candidate Recommendation)
Standards Body: W3C WebAppSec WG
Platform coverage: All Gecko (Windows, Linux, macOS, Android)
Preference: The pref security.mixed_content.upgrade_display_content will be set to true.
DevTools: We already log the URL to the console when we perform an upgrade.
Other browsers:
Chrome shipped this in spring 2020.
Webkit Standards Position positive (https://github.com/WebKit/standards-positions/issues/124).
web-platform-tests: Already existing under mixed-content/. We added some for additional corner cases (request destination “imageset”, CORS mode requests).
This feature is already enabled in Nightly-only as mentioned in this thread: https://groups.google.com/a/mozilla.org/g/dev-platform/c/hEwtZEF47NY/m/Onth2N_iBQAJ and also discussed in this "Intent to prototype" thread: https://groups.google.com/g/mozilla.dev.platform/c/F163Jz32oYY
Best,
Freddy
P.S: Kudos to our previous student Tomer Yavor. Without his work, this would not be possible.