Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?

http security firefox https mixed-content
477,348

Solution 1

I found this blog post which cleared up a few things. To quote the most relevant bit:

Mixed Active Content is now blocked by default in Firefox 23!

What is Mixed Content?
When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits a page served over HTTPS, their connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.

However, if an HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted over HTTP. The Mixed Content Blocker blocks certain HTTP requests on HTTPS pages.

The resolution, in my case, was to simply ensure the jquery includes were as follows (note the removal of the protocol):

<link rel="stylesheet" href="//code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css" type="text/css">
<script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"></script>

Note that the temporary 'fix' is to click on the 'shield' icon in the top-left corner of the address bar and select 'Disable Protection on This Page', although this is not recommended for obvious reasons.

UPDATE: This link from the Firefox (Mozilla) support pages is also useful in explaining what constitutes mixed content and, as given in the above paragraph, does actually provide details of how to display the page regardless:

Most websites will continue to work normally without any action on your part.

If you need to allow the mixed content to be displayed, you can do that easily:

Click the shield icon Mixed Content Shield in the address bar and choose Disable Protection on This Page from the dropdown menu.

The icon in the address bar will change to an orange warning triangle Warning Identity Icon to remind you that insecure content is being displayed.

To revert the previous action (re-block mixed content), just reload the page.

Solution 2

It means you're calling http from https. You can use src="//url.to/script.js" in your script tag and it will auto-detect.

Alternately you can use use https in your src even if you will be publishing it to a http page. This will avoid the potential issue mentioned in the comments.

Solution 3

In absence of a white-list feature you have to make the "all" or "nothing" Choice. You can disable mixed content blocking completely.

The Nothing Choice

You will need to permanently disable mixed content blocking for the current active profile.

In the "Awesome Bar," type "about:config". If this is your first time you will get the "This might void your warranty!" message.

Yes you will be careful. Yes you promise!

Find security.mixed_content.block_active_content. Set its value to false.

The All Choice

iDevelApp's answer is awesome.

Solution 4

Put the below <meta> tag into the <head> section of your document to force the browser to replace unsecure connections (http) to secured connections (https). This can solve the mixed content problem if the connection is able to use https.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

If you want to block then add the below tag into the <head> tag:

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

Solution 5

In the relevant page which makes a mixed content https to http call which is not accessible we can add the following entry in the relevant and get rid of the mixed content error.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Share:
477,348
Appulus
Author by

Appulus

I develop software, and manage processes and teams, and do a whole raft of other interesting things.

Updated on July 13, 2022

Comments

  • Appulus
    Appulus almost 2 years

    This morning, upon upgrading my Firefox browser to the latest version (from 22 to 23), some of the key aspects of my back office (website) stopped working.

    Looking at the Firebug log, the following errors were being reported:

    Blocked loading mixed active content "http://code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css"
Blocked loading mixed active content "http://ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"`

    among other errors caused by the latter of the two above not being loaded.

    What does the above mean and how do I resolve it?

  • Blender
    Blender over 10 years
    A better approach would be to just remove the protocol entirely: src="//code.jquery.com.... The browser will use the protocol that the page was loaded with.
  • matao
    matao over 10 years
    hmm, I have a site that has opened a new page without the address bar and then displays insecure content (fail, I know), how do you unblock mixed content in this scenario when the shield isn't available?
  • raina77ow
    raina77ow over 10 years
    +1 for this post, but I wish I could vote on the Firefox's team decision. Even great ideas can be implemented differently, and it's implementation that matters first, not the idea itself.
  • Raad
    Raad over 10 years
    Oh man! The FF Dev Team shot themselves in the foot with this - cool idea, totally uncool implementation. No persistence for disabling pages, and no whitelist! (for when you know and trust a site with mixed content)
  • alpha-mouse
    alpha-mouse over 10 years
    @Raad you simply cannot trust a site with mixed content. While site owners may be innocent, all the routers carrying http request may be not. I'd file a bug report to site owners.
  • Radu Murzea
    Radu Murzea over 10 years
    Just ran into this too. It broke one of my Greasemonkey scripts... so not cool. Thanks for the explanation.
  • Raad
    Raad over 10 years
    @alpha-mouse in principle, true; however there are 100s if not 1000s of sites that run on HTTPS but syndicate/include content from HTTP sites they have always deemed "safe and trusted". To suddenly break the browsing experience for those (without a persistent override) was, frankly, irresponsible.
  • Assimilater
    Assimilater over 10 years
    @Raad and those hundreds if not thousands of sites are in the process exposing headers that might contain personally identifiable information meant to be encrypted with an SSL connection...frankly, I don't see the FF Dev Team as the irresponsible entity in this matter...
  • Raad
    Raad over 10 years
    @Assimilater You're quite right, it is possible they are exposed, and in fact I'm all for greater security =) I'm not taking issue with FF having mixed-content blocking, but with the way in which it was (and to an extent, still is) implemented. As it was, people had no choice about what sites were blocked if they left the feature enabled. If you explicitly unblocked a site it would be blocked the next time you refreshed the page. If you were a developer having to work in mixed-mode it was very frustrating and you ended turning it off. Anyway, that's my point so I'll zip it now!
  • Chris Baker
    Chris Baker over 10 years
    Extremely frustrating when it is blocking completely harmless actions. Speaking of zip! I have a plugin that uses Ziptastic to look up the city and state of the zip code you enter into an address form. This plugin is broken: all I want to do is use a restful API to grab a tiny JSON object -- no dice. This is the TSA of browser security! Let us have our pants back, for crap sake!
  • user1063287
    user1063287 over 10 years
    In one MySQL instance, I had to do database update replacing all instances of http with https ie: UPDATE YourTableName SET YourColumnName = REPLACE (YourColumnName, 'http', 'https')
  • Faizan
    Faizan almost 9 years
    Do you know to enable mixed content on chrome?
  • fuglede
    fuglede almost 9 years
    @Faizan: From this answer: "In the address bar at the right end should be a 'shield' icon, you can click on that to run insecure content."
  • binaryfunt
    binaryfunt almost 9 years
    Just a note, if used on a locally stored webpage, it might cause the browser to search fruitlessly for the script, significantly delaying the loading of the page
  • MonOve
    MonOve almost 8 years
    @user1063287 not a good idea because then any url's that were already https will now be httpss. better would have been UPDATE YourTableName SET YourColumnName = REPLACE (YourColumnName, 'http:', '') that way you'd be left with // which will use https (if viewed with https)
  • Hack-R
    Hack-R over 7 years
    The blog post content is also available in the link in the error message itself. Instead of a self answer I think you should consider marking Alain's solution as the answer.
  • Aniket Thakur
    Aniket Thakur over 6 years
    Does not work in chrome? worked in firefox.upgrade-insecure-requests seems to upgrade http tp https calls.
  • medley56
    medley56 about 6 years
    Is this a bad idea? Isn't there a reason that the security policy exists?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

window.opener.document.getElementById("parentId1").value = myvalue not working
Why do I get browser warnings on my new lets encrypt ssl setup?
How to change Firefox's referer header for all http requests
What is the modern day equivalent of Firesheep?
Is there a security concern exposing NTLM authentication over http or should it only be https?
Are there any HTTP/HTTPS interception tools other than Fiddler, Charles, Poster, and Achilles?
Mixed content in Chrome and IE
Is HTTP header Referer sent when going to a http page from a https page?
WS on HTTP vs WSS on HTTPS
How to get Chrome to allow mixed content?