----- Original Message ----- > From: fhw...@gmail.com > To: mozilla-dev-security-pol...@lists.mozilla.org > Sent: Wednesday, 20 August, 2014 12:41:04 AM > Subject: Q: mixed http/https content
> What are the current rules or algorithms in place when dealing with some > mixture of http and https content in Firefox? > A case I'm thinking about is a drive-by download situation. If the main page > is loaded by https but there are subsequent requests for files (images, js, > css, fonts, iframes, etc.) or Ajax calls to be made that are only http, will > Firefox allow them? Note that I don't care about the form cases where I load > the form html using https but submit the form data via http. I care about > just the files and content. Firefox allows download of only Images over http, all other methods are blocked, you can test this here: https://www.ssllabs.com/ssltest/viewMyClient.html You can configure it to also disallow http images in https context (security.mixed_content.block_display_content) -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy