3

When I have mixed content (SSL and non-SSL on a https:// page), I would rather have a broken page than an insecure page.

Is there any way to disable the loading of non-SSL elements while on an https page?

jonsca
  • 4,077
  • 15
  • 35
  • 47
gcb
  • 4,764
  • 11
  • 53
  • 73
  • this isn't really an issue the "non-secure" parts of a page are the static images ( logos etc. ) and have no reason to be encrypted. – Lamar B Dec 13 '11 at 07:53
  • 1
    @LamarB: It *can* be an issue if one of the insecure elements is a ` – u1686_grawity Dec 13 '11 at 12:51
  • @grawity agreed, but if security is that big of an issue you should already have javascript disabled and selectively run the ones you need. – Lamar B Dec 13 '11 at 19:11
  • 1
    @LamarB: Well, first, many stores and banking sites require JavaScript. But the point I was trying to make is that without SSL, an attacker could replace a modify a script which you *do* need, and you wouldn't know it. You'd be thinking, "all scripts except this one are blocked, I'm safe". – u1686_grawity Dec 13 '11 at 20:04
  • it's exactly to confirm that "non-secure items are just logos" that i want an option to not load those. I don't need to see one store logo while i enter my credit card at checkout. But i'm sure as hell not buying there if i have to look at the source to see if it's really just the images and not the scripts. – gcb Dec 13 '11 at 20:07

2 Answers2

2

HTTPS everywhere by the EFF may suit your needs it only supports a limited number of sites though. For non-supported sites you may need to find another option. https://www.eff.org/https-everywhere

On internet explorer 9 there is a "block unsecured images with other unsecured content" and a "display mixed content" enable/disable/prompt settings that should also help. Haven't found these type of settings for chrome or firefox yet but I would suspect that firefox's about:config would have similar settings.

Lamar B
  • 1,315
  • 8
  • 10
  • the 2nd paragraph is mostly my question :) but thanks for the https-everywhere link! didn't know about that. – gcb Dec 14 '11 at 05:52
1

Set the values of both of these about:config items to true:

  • security.mixed_content.block_active_content
  • security.mixed_content.block_display_content

Sources:

MrBrian
  • 344
  • 2
  • 3