Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1074064 of Mixed content

  • Revision slug: Web/Security/Mixed_content
  • Revision title: Mixed content
  • Revision id: 1074064
  • Created:
  • Creator: fscholz
  • Is current revision? Yes
  • Comment
Tags: 

Revision Content

When a user visits a page served over {{Glossary("HTTPS")}}, their connection with the web server is encrypted with {{Glossary("TLS")}} and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page.

Types of mixed content

There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.

Stylesheets are considered active content, so content normally considered passive referenced from a stylesheet is considered mixed passive/display content.

Mixed passive/display content

Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.

Passive content list

This section lists all types of HTTP requests which are considered passive content:

  • {{HTMLElement("img")}} (src attribute)
  • {{HTMLElement("audio")}} (src attribute)
  • {{HTMLElement("video")}} (src attribute)
  • {{HTMLElement("object")}} subresources (when an <object> performs HTTP requests)

Mixed active content

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.

In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Active content examples

This section lists some types of HTTP requests which are considered active content:

  • {{HTMLElement("script")}} (src attribute)
  • {{HTMLElement("link")}} (href attribute) (this includes CSS stylesheets)
  • {{HTMLElement("iframe")}} (src attribute)
  • {{domxref("XMLHttpRequest")}} requests
  • All cases in CSS where a {{cssxref("url")}} value is used ({{cssxref("@font-face")}}, {{cssxref("cursor")}}, {{cssxref("background-image")}}, and so forth).
  • {{HTMLElement("object")}} (data attribute)

Other resource types like web fonts and workers may be considered active mixed content, as they are in Chromium.

Warnings in Web Console

The Firefox Web Console displays a mixed content warning message in the Net pane when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in red, along with the text "mixed content", which links to this page.

Screen shot of the web console displaying a mixed content warning.

Starting in Firefox 23, mixed active content is blocked by default (and mixed display content can be blocked by setting a preference). To make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the Security pane of the Web Console, as seen below:

A screenshot of blocked mixed content errors in the Security Pane of the Web Console

To fix this type of error, all requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos, and other media.

See also

Revision Source

 
<p><span class="seoSummary">When a user visits a page served over {{Glossary("HTTPS")}}, their connection with the web server is encrypted with {{Glossary("TLS")}} and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page.</span></p>

<h2 id="Types_of_mixed_content">Types of mixed content</h2>

<p>There are two categories for mixed content: <strong>mixed passive/display content</strong> and <strong>mixed active content</strong>. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.</p>

<div class="note">
<p>Stylesheets are considered active content, so content normally considered passive referenced from a stylesheet is considered mixed passive/display content.</p>
</div>

<h3 id="Mixed_passivedisplay_content">Mixed passive/display content</h3>

<p>Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.</p>

<h4 id="Passive_content_list">Passive content list</h4>

<p>This section lists all types of HTTP requests which are considered passive content:</p>

<ul>
 <li>{{HTMLElement("img")}} (<code>src</code> attribute)</li>
 <li>{{HTMLElement("audio")}} (<code>src</code> attribute)</li>
 <li>{{HTMLElement("video")}} (<code>src</code> attribute)</li>
 <li>{{HTMLElement("object")}} subresources (when an <code>&lt;object&gt;</code> performs HTTP requests)</li>
</ul>

<h3 id="Mixed_active_content">Mixed active content</h3>

<p><strong>Mixed active content</strong> is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.</p>

<p>In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).</p>

<p>The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.</p>

<h4 id="Active_content_examples">Active content examples</h4>

<p>This section lists some types of HTTP requests which are considered active content:</p>

<ul>
 <li>{{HTMLElement("script")}} (<code>src</code> attribute)</li>
 <li>{{HTMLElement("link")}} (<code>href</code> attribute) (this includes CSS stylesheets)</li>
 <li>{{HTMLElement("iframe")}} (<code>src</code> attribute)</li>
 <li>{{domxref("XMLHttpRequest")}} requests</li>
 <li>All cases in CSS where a {{cssxref("url")}} value is used ({{cssxref("@font-face")}}, {{cssxref("cursor")}}, {{cssxref("background-image")}}, and so forth).</li>
 <li>{{HTMLElement("object")}} (<code>data</code> attribute)</li>
</ul>

<p>Other resource types like web fonts and workers may be considered active mixed content, <a href="https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp&amp;q=MixedContentChecker::contextTypeFromContext%20f:cpp&amp;sq=package:chromium&amp;type=cs">as they are in Chromium</a>.</p>

<h2 id="Warnings_in_Web_Console">Warnings in Web Console</h2>

<p>The Firefox Web Console displays a mixed content warning message in the Net pane when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in red, along with the text "mixed content", which links to this page.</p>

<p><a class="internal" href="/files/3794/mixed_content_webconsole.jpg"><img alt="Screen shot of the web console displaying a mixed content warning." src="https://mdn.mozillademos.org/files/12545/Mixed_content_-_Net_pane.png" style="border-style:solid; border-width:1px; height:286px; width:720px" /></a></p>

<p>Starting in Firefox 23, mixed active content is blocked by default (and mixed display content can be blocked by setting a preference). To make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the Security pane of the Web Console, as seen below:</p>

<p><a href="/files/5261/blocked-mixed-content-errors.png"><img alt="A screenshot of blocked mixed content errors in the Security Pane of the Web Console" src="https://mdn.mozillademos.org/files/12543/mixed_content_webconsole.png" style="border-style:solid; border-width:1px; height:285px; width:720px" /></a></p>

<p>To fix this type of error, all requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos, and other media.</p>

<h2 id="See_also">See also</h2>

<ul>
 <li><a href="https://w3c.github.io/webappsec/specs/mixedcontent/" title="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content - W3C Editor's Draft</a></li>
 <li><a href="/en-US/docs/Security/Mixed_content/How_to_fix_website_with_mixed_content">How to fix a website with blocked mixed content</a></li>
</ul>
Revert to this revision