From the ‘open source browser’ files:
A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.
Many websites have long mixed SSL content with non-SSL content on the same page.
It’s bad because it effectively nullifies the benefit of having SSL in the first place as the non-encrypted material is likely still valuable (and there is also the likely possibility that a session cookie with login info is part of the non-SSL mix).
The correct best practice is to not mix SSL with non-SSL on the same page, which is something that Firefox 23 will enforce by default.
preference in Firefox will be on by default in Firefox 23.
“That means insecure scripts, stylesheets, plug-in contents, inline frames, Web fonts and WebSockets are blocked on secure pages, and a notification is displayed instead,” Mozilla developer, Norbert Yoshino wrote in a blog post.
No, this will not break the web. It will secure it.
There was a time when SSL really represented a performance overhead for websites and that’s why there was a lot of mixed content. That’s not really the case anymore and the time for mixed SSL content is now past due.