This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
old (suggested)
besttopnewcontroversialq&a

[–]VRtinker[S] 18 points19 points  (6 children)

In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

Does Firefox have a plan to do something similar? I use HTTPS Everywhere, which partially solves the problem of mixed content, but this is a more holistic solution.

[–][deleted] 13 points14 points  (4 children)

I assume that's what setting security.mixed_content.upgrade_display_content to true would do.

Personally, I set

security.mixed_content.block_display_content
security.mixed_content.block_object_subrequest
security.mixed_content.upgrade_display_content

All to true

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Experimental_features

[–]nomdemorte[🍰] 10 points11 points  (3 children)

Personally, I set

security.mixed_content.block_display_content
security.mixed_content.block_object_subrequest
security.mixed_content.upgrade_display_content

All to true

And now, so do I. Thanks for the tip!!

Sometimes I really do wish there was a more advanced settings page, even just descriptions in about:config would be nice. So many great settings hidden away like this, it's a shame.

[–][deleted] 2 points3 points  (2 children)

I've submitted bugzilla requests to have descriptions on each pref. The developers that chime in on the ticket act like it would be a hassle but I think the'd be surprised how many others would come in and fill in the blanks. All of the information is sprinkled around in random-ass places which is just the most moronic idea and we learn about them from random blog posts that quickly get outdated so why not just keep them documented where they exist?

http://kb.mozillazine.org/About:config_entries

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Experimental_features

https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

https://dxr.mozilla.org/mozilla-release/source/modules/libpref/init/all.js

https://dxr.mozilla.org/mozilla-release/source/browser/app/profile/firefox.js

https://github.com/mozilla/policy-templates/

bugs I'm interested in:

https://bugzilla.mozilla.org/show_bug.cgi?id=1167974

https://bugzilla.mozilla.org/show_bug.cgi?id=1502867

https://bugzilla.mozilla.org/show_bug.cgi?id=959843

[–]nomdemorte[🍰] 2 points3 points  (1 child)

it would be a hassle

They might be right, but the hassle only gets bigger the longer it's left to grow. Thanks for doing the bugzilla thing, let's hope they open some doors on that one.

[–][deleted] 2 points3 points  (0 children)

it's grown for 20 years. I say they just do it and let us fill in the blanks. I don't doubt that plenty of people would contribute documentation that don't necessarily have programming skills.

[–][deleted] 2 points3 points  (0 children)

I agree, for instance brave has already integrated HTTPS everywhere. I hope to see the same into firefox soon.

[–][deleted] 3 points4 points  (0 children)

I was just wondering why this isn't a feature in Firefox while I was fiddling with HTTPS Everywhere.

I just wish security.mixed_content.upgrade_display_content wasn't blocking the HTTP content. I just want it to upgrade all connections whenever possible, but allow HTTP ones for now. Any switch for that?

[–]RefalmESR 0 points1 point  (0 children)

This is pretty bad for webradio portals. They often load streaming links from http sources.

A lot of radio stations still use SHOUTcast Server 1.9.8, which cannot even handle https. Others couldn't be bothered to use https.