mozilla

Revision 377857 of Mixed Content

  • Revision slug: Security/MixedContent
  • Revision title: Mixed Content
  • Revision id: 377857
  • Created:
  • Creator: evilpie
  • Is current revision? No
  • Comment put a space in Mixed Content

Revision Content

{{ fx_minversion_header("16") }}

When a user visits a page served over HTTPS, their connection with the web server is encrypted with SSL and hence safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes HTTP content, this content is not encrypted and hence not safe from sniffers and man-in-the-middle attacks. When a webpage exhibits this behavior, it is called "mixed content". The connection is only partially encrypted, since some of the content is retrieved in cleartext over HTTP and hence accessible to sniffers and can be modified by man-in-the-middle attackers.

Web Console warning

Starting in Firefox 16, the Web Console will display a mixed content warning message when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in a red font in the Web Console along with the text "mixed content" which will link to this page.

Screen shot of the web console displaying a mixed content warning.

To fix this error, requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos and other media.

What are the risks?

The security community has created two categories for mixed content: Mixed Display Content and Mixed Script Content.

Mixed display content
Mixed Display Content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, he could determine which webpage the user is visiting.
Mixed script content
Mixed Script Content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks already described for Mixed Display Content above, Mixed Script Content is vulnerable to a few other attack vectors.

In the Mixed Script Content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also re-write the response to include malicious JavaScript code. Malicious script can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerable plugins the user has installed, for example).

The risk involved with mixed content does depend on the type of website the user is on visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Revision Source

<p>{{ fx_minversion_header("16") }}</p>
<p>When a user visits a page served over HTTPS, their connection with the web server is encrypted with SSL and hence safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes HTTP content, this content is not encrypted and hence not safe from sniffers and man-in-the-middle attacks. When a webpage exhibits this behavior, it is called "mixed content". The connection is only partially encrypted, since some of the content is retrieved in cleartext over HTTP and hence accessible to sniffers and can be modified by man-in-the-middle attackers.</p>
<h2 id="Web_Console_warning">Web Console warning</h2>
<p>Starting in Firefox 16, the Web Console will display a mixed content warning message when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in a red font in the Web Console along with the text "mixed content" which will link to this page.</p>
<p><a class="link-https" href="https://people.mozilla.com/~tvyas/mixed_content_webconsole.jpg"><img alt="Screen shot of the web console displaying a mixed content warning." src="/files/3794/mixed_content_webconsole.jpg" style="width: 700px; border-width: 1px; border-style: solid; height: 116px;" /></a></p>
<p>To fix this error, requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos and other media.</p>
<h2 id="What_are_the_risks.3F">What are the risks?</h2>
<p>The security community has created two categories for mixed content: <strong>Mixed Display Content</strong> and <strong>Mixed Script Content</strong>.</p>
<dl>
  <dt>
    Mixed display content</dt>
  <dd>
    Mixed Display Content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, he could determine which webpage the user is visiting.</dd>
  <dt>
    Mixed script content</dt>
  <dd>
    Mixed Script Content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks already described for Mixed Display Content above, Mixed Script Content is vulnerable to a few other attack vectors.</dd>
</dl>
<p>In the Mixed Script Content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also re-write the response to include malicious JavaScript code. Malicious script can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerable plugins the user has installed, for example).</p>
<p>The risk involved with mixed content does depend on the type of website the user is on visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.</p>
Revert to this revision