0

Firefox says over here that they have active mixed content blocked by default:

Starting in Firefox 23, mixed active content is blocked by default

However, when I try to see the behavior of businessinsider.com (a site with lots of insecure links), there are a lot of insecure active mixed content links that are being allowed through:

enter image description here

Judging from this, I take it that the grey lock with a red slash indicates that the content is insecure but is not being blocked. The 200 OK status associated with these requests also indicates the same thing, that these requests are being fetched, and not blocked. I was wondering what could be going on here. Does anyone have any ideas?

Anand Bhat
  • 5,591
  • 26
  • 30
QPTR
  • 1,620
  • 7
  • 26
  • 47

1 Answers1

1

https://www.businessinsider.com redirects to http://www.businessinsider.com. The insecure content you are seeing is on the http page, which mixed content blocking does not happen.

Image showing https to http redirect

Anand Bhat
  • 5,591
  • 26
  • 30
  • Thanks for the answer. Does that mean that the businessinsider website does not support https, and Firefox only blocks active mixed content for sites whose root domain is https? – QPTR Oct 07 '16 at 16:06
  • 1
    Correct and correct. BusinessInsider downgrades https to http and mixed content blocking only makes sense in the context of a page that is served over HTTPS as the purpose is to block content that is served insecurely via HTTP, – Anand Bhat Oct 07 '16 at 16:26
  • One more question. I was wondering if thats one of the reasons why sites sometimes take a long while to support HTTPS? For example, if a main site has support for HTTPS but its embedded requests (going to cdns, adservers et cetera) do not, then functionality might break if Firefox blocks them. – QPTR Oct 07 '16 at 19:02
  • 1
    Absolutely. News sites have a lot of dependencies on trackers and ad networks which may not support HTTPS and moving such sites to HTTPS isn't easy. From https://cdt.org/blog/its-time-to-move-to-https/ "the two big industry sectors not doing so hot in terms of HTTPS are news sites and the adult entertainment industry. ... One of the biggest factors in slow adoption by news sites of HTTPS was the complexity of their ad infrastructure and website analytics; they had to track down every single instance of an insecure page element being sent and work with their partners to correct that behavior." – Anand Bhat Oct 07 '16 at 19:14
  • Thank you, that is very illuminating! – QPTR Oct 08 '16 at 05:35