Firefox >= 23 will block mixed content when using SSL

Posted . Visible to the public.

Non-SSL contents on SSL pages are blocked by default

Bug 834836 – Turn on pref to block mixed active content

Firefox 18 introduced preferences to block loading contents from non-SSL (http) sites on SSL (https) pages. One of those preferences, security.mixed_content.block_active_content is now enabled by default in order to enhance user security. That means insecure scripts, stylesheets, plug-in contents, inline frames, Web fonts and WebSockets are blocked on secure pages, and a notification is displayed instead. It will not block "display content" like images, videos or audio.

developer.mozilla.org
Ulrich Berkmueller
Say thanks2
License
Source code in this card is licensed under the MIT License.

Related cards:

Firefox: Inspecting mixed content warnings (and how to enable them)

Having your site run on SSL is worthless when you include content over an unsafe connection (HTTP).

Here is how to hunt down mixed content with Firefox.

How to enable mixed content alerts

If your Firefox does not warn you about mixed content ...

When using "render :text", set a content type

When your Rails controller action responds with only a simple text, render text: 'Hello' may not be what you want. You should not even use it on Rails 4.1+ any more.

By default, a "text" response from a Rails controller will still be a sent as ...

Working around OpenSSL::SSL::SSLErrors

If your requests blow up in Ruby or CURL, the server you're connecting to might only support requests with older SSL/TLS versions.

You might get an error like: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=unknown state

...

Browsers will not send a referrer when linking from HTTPS to HTTP

  • When your site is on HTTPS and you are linking or redirecting to a HTTP site, the browser will not send a referrer.
  • This means the target site will see your traffic as "direct traffic", i.e. they cannot distinguish such hits from a user who di...

Regex: Be careful when trying to match the start and/or end of a text

Ruby has two different ways to match the start and the end of a text:

  • ^ (Start of line) and $ (End of line)
  • \A (Start of string) and \z (End of string)

Most often you want to use \A and \z.

Here is a short example in which we wa...

Using attribute event handlers with a strict Content Security Policy (CSP)

Given you have a strict CSP that only allows <script src> elements from your own domain:

Content-Security-Policy: script-src 'self'

This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the f...

Using Thin for development (with SSL)

Note: These instructions are for a quick per-project setup and may require you to change code. If you generally need SSL for development, you probably want to use [Passenger](https://makandracards.com/makandra/549-using-passenger-for-developme...

Caching in Rails < 6.1 may down parts of your application when using public cache control

Proxy caching is a good feature to serve your publicly visible application content faster and reduce load on your servers. It is e.g. available in nginx, but also affects proxies delivered by ISPs.

Unfortunately, there is a little problem in Rail...

RestClient / Net::HTTP: How to communicate with self-signed or misconfigured HTTPS endpoints

Occasionally, you have to talk to APIs via HTTPS that use a custom certificate or a misconfigured certificate chain (like missing an intermediate certificate).

Using RestClient will then raise RestClient::SSLCertificateNotVerified errors, or wh...

Using Passenger for development (with optional SSL)

  • install apache
  • sudo apt-get install ruby1.8-dev
  • sudo gem install passenger
  • sudo passenger-install-apache2-module
  • follow the instructions

Manually: configure a vhost in /etc/apache2/sites-available and link it to `/etc/apache2/s...

Posted by Ulrich Berkmueller to makandra dev (2013-04-09 15:00)
This website uses short-lived cookies to improve usability.
or learn more