This experiment has ended early so we can add some more telemetry to decide on the next steps here. I will send out a new notice when we do the next update to this.
On Wed, Feb 21, 2018 at 6:54 PM, Jonathan Kingston <[email protected]> wrote: > > We are experimenting with ways to eliminate insecure content on secure > pages, while increasing HTTPS adoption. With bug 1435733 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1435733>, we are adding an > experimental pref to upgrade all mixed passive content. The pref is enabled > in Nightly-only by default. > > Mixed passive content[1] currently gets loaded in HTTPS pages with a > degraded security UI - a grey padlock with a yellow triangle over it. With > this change, we will upgrade HTTP mixed passive content (images and media) > to HTTPS on secure pages. If the resource doesn’t exist over HTTPS, it will > fail to load. The security UI will show the green lock, since no insecure > content was loaded on the page. > > The categorization of mixed passive content we are using is the same as > the one defined in the Mixed Content Specification[2]. For example srcset > and <picture> won’t be upgraded. > > Chrome is currently also working to experiment in this area as a plan for > a new version of the Mixed Content Specification[3]. > > The preference to disable this is: > "security.mixed_content.upgrade_display_content" > which will be enabled in Nighty by default for two weeks. The code will > remain in Firefox. > > Developers and Nightly users can see which content is upgraded in the > developer console[4]. > > We would love to hear feedback and receive breakage reports. Please file > bugs here https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&; > component=DOM%3A%20Security > > > [1] https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content > > [2] https://w3c.github.io/webappsec-mixed-content/ > > [3] https://github.com/mikewest/webappsec-mixed-content/blob/ > master/proposed-level-2-roadmap.md > > [4] https://imgur.com/Ig5QttW > _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
