Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Slackware This Forum is for the discussion of Slackware Linux.


  Search this Thread
Old 06-12-2013, 10:46 AM   #1
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
TOTD: Blocking insecure "mixed-content" on Firefox

To give a little background, when one connects to an HTTPS site, the data channel is encrypted
and authenticated. However, if the HTTPS site also serves HTTP content (so-called mixed
content), the unencrypted portion can be sniffed and hijacked by an attacker.

If that insecure content is active (i.e. has access to some or all of the document object model),
the attacker can potentially change the behavior of the HTTPS page and steal information.

Firefox has joined other browsers and now permits the blocking of mixed-content. However, this
feature is off by default until Firefox 23. Until then, one must turn the blocking on manually.

To turn it on, surf to about:config and make the following change by double-clicking on

security.fileuri.strict_origin_policy            default     boolean   true
security.mixed_content.block_active_content      user set    boolean   true
security.mixed_content.block_display_content     default     boolean   false
If interested, you can read a more detailed explanation here.


TOTD=Tip of the Day
Old 06-12-2013, 02:00 PM   #2
Senior Member
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,366

Rep: Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835
It's a good step forward but it needs work. I use RequestPolicy at the finest granularity (allowing/denying each domain and protocol separately) and noscript with the same fine granularity. With the new mixed content blocking enabled for both active and passive content, I found a site (Apple's iTunes store) that loads third-party unencrypted content (images) -- but after allowing this content in RequestPolicy, the new mixed content blocker did not show the shield icon necessary to allow the content, but it still blocked it anyway. Basically, it left me with no way to view the content. This was with passive content which is not recommended to block anyway, but it makes me nervous about using it at all. It did work on a vanilla Firefox profile without RequestPolicy/noscript. On microsoft's mixed content test page, I allowed the unencrypted content in RequestPolicy but kept javascript disabled through noscript (so it was only loading the unencrypted images). The passive content filter did not work at all (it did not pop up the shield or block the content). The shield only popped up when I enabled javascript on the https page. On other sites I tested it worked as it should. For now I'll stick to RequestPolicy+noscript which lets me block mixed content anyway (though on a much more specific basis, which would drive most people crazy).

Right now it looks like it's all-or-nothing. You can enable this and have many pages break but have the fix a click away, at the cost of losing any protection using RequestPolicy/noscript; or you can keep this disabled and maintain better control/protection using RequestPolicy/noscript but at the cost of usability. It would be nice if you could have the best of both worlds (keeping RequestPolicy/noscript on a domain basis rather than a protocol basis, but blocking mixed content) but that isn't possible right now as far as I can tell.
Old 06-13-2013, 10:27 AM   #3
Registered: Oct 2012
Posts: 76

Rep: Reputation: Disabled
Couldn't you just use Noscripts ABE to write a custom script to block active content from http when in https


firefox, https

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] error "mixed implicit and normal rules" while trying to build busybox Keith Hedger Linux - Software 7 01-02-2015 11:24 PM
Modifying Firefox through CSS: Can toolbars be placed "above" website content? Vinter Programming 5 02-18-2013 08:51 AM
squirrelmail "error in login page"" when content advisor is enabled simi_virgo Linux - Networking 4 08-21-2008 01:25 PM
Can't exec "firefox 1.5", "prompts glibc detected" SPo2 Linux - General 1 06-04-2006 11:02 PM
Compiling "deskama": problem with mixed c/c++ RedDwarf Linux - Software 3 05-28-2005 07:53 AM > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 05:51 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration