info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to ship experimental Mixed Content upgrading (Nightly only)
398 views
Skip to first unread message
Jonathan Kingston
Feb 21, 2018, 1:54:29 PM2/21/18
to dev-platform
We are experimenting with ways to eliminate insecure content on secure
pages, while increasing HTTPS adoption. With bug 1435733
<https://bugzilla.mozilla.org/show_bug.cgi?id=1435733>, we are adding an
experimental pref to upgrade all mixed passive content. The pref is enabled
in Nightly-only by default.
Mixed passive content[1] currently gets loaded in HTTPS pages with a
degraded security UI - a grey padlock with a yellow triangle over it. With
this change, we will upgrade HTTP mixed passive content (images and media)
to HTTPS on secure pages. If the resource doesn’t exist over HTTPS, it will
fail to load. The security UI will show the green lock, since no insecure
content was loaded on the page.
The categorization of mixed passive content we are using is the same as the
one defined in the Mixed Content Specification[2]. For example srcset and
<picture> won’t be upgraded.
Chrome is currently also working to experiment in this area as a plan for a
new version of the Mixed Content Specification[3].
The preference to disable this is:
"security.mixed_content.upgrade_display_content" which will be enabled in
Nighty by default for two weeks. The code will remain in Firefox.
Developers and Nightly users can see which content is upgraded in the
developer console[4].
We would love to hear feedback and receive breakage reports. Please file
bugs here
https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=DOM%3A%20Security
[1] https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
[2] https://w3c.github.io/webappsec-mixed-content/
[3]
https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md
[4] https://imgur.com/Ig5QttW
pages, while increasing HTTPS adoption. With bug 1435733
<https://bugzilla.mozilla.org/show_bug.cgi?id=1435733>, we are adding an
experimental pref to upgrade all mixed passive content. The pref is enabled
in Nightly-only by default.
Mixed passive content[1] currently gets loaded in HTTPS pages with a
degraded security UI - a grey padlock with a yellow triangle over it. With
this change, we will upgrade HTTP mixed passive content (images and media)
to HTTPS on secure pages. If the resource doesn’t exist over HTTPS, it will
fail to load. The security UI will show the green lock, since no insecure
content was loaded on the page.
The categorization of mixed passive content we are using is the same as the
one defined in the Mixed Content Specification[2]. For example srcset and
<picture> won’t be upgraded.
Chrome is currently also working to experiment in this area as a plan for a
new version of the Mixed Content Specification[3].
The preference to disable this is:
"security.mixed_content.upgrade_display_content" which will be enabled in
Nighty by default for two weeks. The code will remain in Firefox.
Developers and Nightly users can see which content is upgraded in the
developer console[4].
We would love to hear feedback and receive breakage reports. Please file
bugs here
https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=DOM%3A%20Security
[1] https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
[2] https://w3c.github.io/webappsec-mixed-content/
[3]
https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md
[4] https://imgur.com/Ig5QttW
Jonathan Kingston
Mar 1, 2018, 9:52:52 AM3/1/18
to dev-platform
This experiment has ended early so we can add some more telemetry to decide
on the next steps here. I will send out a new notice when we do the next
update to this.
on the next steps here. I will send out a new notice when we do the next
update to this.
0 new messages