Google Chrome and Mozilla Firefox have implemented Mixed Content Blocking processes to protect computers from security attacks exposed via unsecured content referenced from secured pages.

What is mixed content and why does it matter?

Websites that ask for sensitive information, such as usernames and passwords, often use secure (https) connections to transmit content to and from the computer you're using. If you're visiting a site via a secure connection both Google Chrome and Firefox verify that the content on the webpage has been transmitted safely. If either browser detects certain types of content on the page coming from insecure (http) channels, the browser will automatically prevent the content from loading and you'll see a shield icon appear in the address bar.

By blocking the content and possible security gaps, Chrome and Firefox protects your information on the page from falling into the wrong hands.

Mixed content types

Two types of content impact the user experience of viewing a web page and, in the context of Mixed Content, each has various levels of risk:

  • Mixed passive content or display content
  • Mixed active content or script content

Mixed passive content or display content

Mixed Passive Content is HTTP Content on an HTTPS website that cannot alter the Document Object Model (DOM) of the webpage. More simply stated, Passive HTTP content has a limited effect on the HTTPS website. For example, an attacker could replace an image served over HTTP with an inappropriate image or a misleading message to the user. However, the attacker would not have the ability to affect the rest of the webpage, only the section of the page where the image is loaded.

An attacker may infer information about user browsing activity by observing which images are served to the user, thus deriving pages viewed. Also, by observing HTTP headers sent to retrieve and deliver the image the attacker may view the user agent string and any cookies associated with the domain the image is requested from. If the content is served from the same domain as the main webpage, then session information is potentially exposed circumventing the protection HTTPS provides to the user account.

Examples of Passive Content are images, audio, and video loads.

Mixed active content or script content

Active Content is content that has access to and can affect all or parts of the Document Object Model (DOM) of an HTTPS page. This type of mixed content can alter the behavior of an HTTPS page and potentially steal sensitive data from the user. In addition to the risks already described for Mixed Passive Content above, Mixed Active Content is also exposed to a number of potential attack vectors.

Example: A Man In The Middle (MITM) attacker can intercept requests for HTTP active content. The attacker can then rewrite the response to include malicious JavaScript code. Malicious script can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerable plugins the user has installed, for example).

Examples of Active Content are JavaScript, CSS, objects, xhr requests, iframes, and fonts.

Eliminate the need for user browser controls

To eliminate the need for User controls all content, Passive and Active, should be served over HTTPS.

Browser management of mixed content

After reviewing the examples on Mozilla's website, you will see the impact of mixed content on the user browsing experience and understand the impact browser settings have on page rendering.

Note that mixed content blocking concepts are similar across browsers and that the management of access and levels of information are the main differences between browsers supporting mixed content blocking.

Visit the section that applies to your browser for details.