I had totally missed that Firefox 23 turned on Mixed Content blocking. What is the rationale for that?
I'm aware that MSIE blocked mixed content but I always considered that a bug. In short, I see mixed content blocking pros and cons as follows: Pros: (1) Avoid MitM attack for HTTPS sites that include e.g. script from HTTP connection. Cons: (2) Breaks existing sites that used to work in Firefox 22 and Chrome. (Granted, most of such sites were already broken in MSIE.) (3) Prevents existing site from easily upgrading from HTTP to HTTPS connection, especially if site contains user authored content (embedded iframes) To me, (1) is pretty meaningless because site authors that include HTTP scripts on HTTPS site will probably also run code vulnerable XSS and CSRF attacks. Activating Mixed Content blocking and displaying a lock icon will give false sense of security. I would much rather have a big ugly door hanger saying "beware of the leopard" which still allows the user to see all the content but hints that the content may not be totally safe. I somewhat agree with (2) because it's easier for everybody if all content behaves similarly in all user agents. However, the (3) is the deal breaker for me; I hope the target is to move most of the web on secure connections and anything that gives extra pain to the content authors should be avoided if at all possible. Is the (1) really such a big problem (compared to XSS and CSRF vulnerabilities) that this change is really worth the troubles (3)?? I would guess that this change will move more people from Firefox to Chrome because sites seem to work with that... -- Mikko _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
