search

mozilla / policy-templates

Policy Templates for Firefox
Mozilla Public License 2.0
1.15k stars 415 forks source link

The description of `mixed_content` needs to be clarified #1141

Closed qupig closed 3 weeks ago

qupig commented 3 months ago

https://github.com/mozilla/policy-templates/blob/869b1d919857a59e4e3f06dfe2c9987f92710db5/docs/index.md?plain=1#L5253-L5256

The descriptions of security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content are ambiguous here. They interact but are not specified clearly enough.

According to the following information:

https://www.mozilla.org/en-US/firefox/128.0esr/releasenotes/ Firefox will now automatically try to upgrade <img>, <audio>, and <video> elements from HTTP to HTTPS if they are embedded within an HTTPS page. If these so-called mixed content elements do not support HTTPS, they will no longer load.

https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/ With Firefox 127, all mixed content will either be blocked or upgraded. Making sure that documents transferred with HTTPS remain fully secure and encrypted.

Enterprise Users

Enterprise users that do not want Firefox to perform an upgrade have the following options by changing the existing preferences:

  • Set security.mixed_content.upgrade_display_content to false, such that Firefox will continue displaying mixed content insecurely (including the degraded lock icon from the first picture).
  • Set security.mixed_content.block_display_content to true, such that Firefox will block all mixed content (including upgradable).

It looks like:

mkaply commented 3 weeks ago

I tweaked these a little based on your feedback.

I had documented upgrade_display_content wrong anyway. In the description, I describe what happens if you change the pref, not the default, so I had gotten that wrong.

mkaply commented 3 weeks ago

And thanks!

Feel free to offer more feeedback