The latest Firefox 18 beta comes with an interesting security option, even though the feature is disabled by default. Firefox can block insecure content from loading over HTTPS connections. It's rather common, unfortunately, for HTTPS pages to have resources that load via an unsecured HTTP connection.
What this means is that user data is not always protected, despite users assuming it would be since they're using an encrypted connection.
Most modern browsers warn users about mixed content, but these warnings can be easily ignored.
Now, Firefox is implementing a feature that would block any content loaded via an unencrypted connection.
This should prevent any scripts, images or any other type of data from being loaded, if they come from an HTTP source. The feature is not enabled by default in Firefox 18, though it might be in future releases.
However, you can enable it for yourself, all you need to do is switch "security.mixed_content.block_active_content
" and "security.mixed_content.block_display_content
" to "true" by visiting about:config.
Google Chrome has had a similar mechanism for more than a year now, but like in Firefox, it started disabled by default
for any site outside of the google.com domain.
In practice, many sites rely on mixed content since they don't have a choice and many were upset that Chrome essentially broke functionality by blocking mixed script content by default.
This is the reason why it's disabled by default in Firefox as well. However, the hope is that with two major browsers supporting it, Mozilla and Google can work together and pressure website into fixing the issue at the source.
In fact, Google has taken the lead and has been blocking mixed content by default and silently
for a few months now. This has already pushed plenty of websites into fixing their issues, which should make the roll-out in Firefox a lot easier.