Firefox will upgrade more Mixed Content in Version 127
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS . As a reminder, HTTP over TLS (HTTPS) fixes the security shortcoming of HTTP by creating a secure and encrypted connection. Oftentimes, when web applications enable encryption with HTTPS on their servers, legacy content may still contain references using HTTP, even though that content would also be available over a secure and encrypted connection. When such a document gets loaded over HTTPS but subresources like images, audio and video are loaded using HTTP, it is referred to as “mixed content”.
Starting with version 127, Firefox is going to automatically upgrade audio, video, and image subresources from HTTP to HTTPS.
When introducing the notion of “mixed content ” a long while ago, browsers used to make a fairly sharp distinction between active and passive mixed content: Loading scripts or iframes over HTTP can be really detrimental to the whole document’s security and has long since been blocked as “active mixed content”. Images and other resources were otherwise called “passive” or “display” mixed content. If a network attacker could modify them, they would not gain full control over the document. So, in hope of supporting most existing content , passive content had been allowed to load insecurely, albeit with a warning in the address bar.
With the web platform supporting many new and exciting forms of content (e.g., responsive images ), that notion became a bit blurry: Responsive images are not active in a sense that a malicious responsive image can take over the whole web page. However, with an impetus toward a more secure web, since 2018, we require that new features are only available when using HTTPS .
