From the ‘open source browser’ files:
A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.
Many websites have long mixed SSL content with non-SSL content on the same page.
That’s bad.
It’s bad because it effectively nullifies the benefit of having SSL in the first place as the non-encrypted material is likely still valuable (and there is also the likely possibility that a session cookie with login info is part of the non-SSL mix).
The correct best practice is to not mix SSL with non-SSL on the same page, which is something that Firefox 23 will enforce by default.
The
security.mixed_content.block_active_content
preference in Firefox will be on by default in Firefox 23.
“That means insecure scripts, stylesheets, plug-in contents, inline frames, Web fonts and WebSockets are blocked on secure pages, and a notification is displayed instead,” Mozilla developer, Norbert Yoshino wrote in a blog post.
No, this will not break the web. It will secure it.
There was a time when SSL really represented a performance overhead for websites and that’s why there was a lot of mixed content. That’s not really the case anymore and the time for mixed SSL content is now past due.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.