Put digital trust at the core of every customer interaction. Powered by fast, fair, and accurate AI, the Real Identity Platform brings together a global suite of identity verifications and signals into an easy-to-use orchestration studio.
When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from most sniffers and man-in-the-middle attacks. An HTTPS page that includes content fetched using cleartext HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers. That leaves the pages unsafe.
Types of mixed content
There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower [the page may contain misleading content, or the user's cookies may be stolen]. In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.
Mixed passive/display content
Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.
Passive content list
This section lists all types of HTTP requests which are considered passive content:
As well as finding these warnings in the Web Console, you could use Content Security Policy [CSP] to report issues. You could also use an online crawler like SSL-check or Missing Padlock that will check your website recursively and find links to insecure content.
Starting in Firefox 23, mixed active content is blocked by default [and mixed display content can be blocked by setting a preference]. To make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the Security pane of the Web Console, as seen below:
To fix this type of error, all requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos, and other media.
Note: The console will display a message indicating if mixed-display content is being successfully upgraded from HTTP to HTTPS [instead of a warning about "Loading mixed [insecure] display content"].