Firefox 23 lands with a new logo and mixed content blocking

Mozilla Firefox logoFirefox 23, released today, contains the usual mix of security work, standards conformance improvements, and minor bug fixes that we've come to expect from the regular browser releases. On top of these, it sports a trio of changes that you might actually notice.

Most visible of all, Firefox has a new icon. Don't worry—the lovable firefox is still embracing the globe and still has its back rudely turned toward us. The blue marble is, however, much less shiny than it once was.

Mozilla Firefox logo

The other changes are both important for their security implications. First, Firefox at last follows the lead of Internet Explorer and Chrome, blocking mixed use of (non-secure) HTTP content from (secure) HTTPS pages.

Previously, a page loaded over HTTPS in Firefox could freely load JavaScript, CSS, images, and other content from HTTP URLs. This meant that although the page's HTML was secured, its other features, including the scripts it ran, were not. This in turn left users susceptible to attacks that undermined the security that HTTPS should provide.

Mozilla Firefox 23

Internet Explorer has defaulted to blocking mixed content for many years, showing a warning each time it does so. In times gone by these warnings were dialog boxes; in current versions of the browser, they're shown as information bars along the bottom of the page. Other browser vendors, however, continued to freely load the insecure content.

Chrome 14 betas, in June 2011, started showing warnings when loading insecure scripts from HTTPS pages. The block-by-default behavior was first rolled out in Chrome 19. The protection was strengthened in Chrome 21, with stricter blocking and a less invasive UI.

Firefox's protection splits content into two kinds: "active" content (including scripts, stylesheets, and content embedded in frames) and "passive" content (such as images and videos). By default, Firefox 23 will only block the mixed active content, as in principle, the mixed passive content shouldn't pose a security threat.

When content is blocked, rather than showing a highly visible alert (as Internet Explorer does, and Chrome did prior to version 21), a grey shield will be placed in the address bar. Clicking the shield will reveal information about what was blocked and allow unblocking. This is very similar to the system that Google uses in Chrome 21 and beyond.

Arguably on the other side of the security fence, Firefox 23 removes the ability to disable JavaScript in its preferences dialog. That's not to say that Firefox 23 can't disable JavaScript (the setting in about:config still exists and still works, and Firefox 24 will add a feature to the developer tools to disable JavaScript too), but the most easy and obvious way of disabling JavaScript is gone.

The rationale for this change is that disabling JavaScript universally breaks too much of the Web. It's not an option that should be turned on by accident or without understanding the (substantial) functionality repercussions, and as such, it's not appropriate to show it to non-expert users. Users concerned with security are better with an extension such as NoScript, which allows selective blocking of JavaScript without disabling it globally.

Source: Ars Technica

Tags: browsers, Firefox, Mozilla

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)