(Excerpt from http://blog.aizhet.com/Windows/18415.html)
Starting with Firefox 18, if the HTTPS page contains non-encrypted HTTP content, the browser outputs a warning in the console that logs the Mixed Active Content request. Starting with Firefox 23, the browser will default to block HTTP requests (that is, blocking Mixed Active Content) in HTTPS pages that might affect Web page security. This will sacrifice some Web site compatibility, but it is helpful to improve the security.
Getting Mixed Content is equivalent to initiating a partially encrypted connection, where the unencrypted part is likely to be attacked by a man-in-the-middle. Different types of Mixed content can have varying degrees of harm, Mixed Passive content may enable the middleman to obtain information about the user's device, or to allow the user to see incorrect pictures, audio, etc. Mixed Active Content can lead to user-sensitive data being stolen, such as account passwords.
Solve the problem
Solution One (once and for all)
Avoid including HTTP content on HTTPS pages.
Solution two (let Firefox temporarily not block)
Solution three (configure local Firefox so that it no longer blocks)
Open a new tab, enter About:config in the Address bar, and go to the configuration page.
Why is Mixed Content blocker not blocking all HTTP requests?
Mixed Content can be divided into two categories:
- Mixed Passive Content
- Mixed Active Content
Mixed Passive content (a.k.a. Mixed Display content)
Mixed Passive content is something that has little security impact on HTTPS pages, such as Image, Audio, Video, and so on. Even if the content is tampered with by the middleman, the effect is only--the middleman learns the user's browser information (through user-agent included by HTTP headers), the user sees an incorrect picture, the tampered content cannot modify the DOM tree, Also cannot be executed. In addition, Mixed Passive Content is ubiquitous on the Web. So Firefox does not block Mixed Passive Content by default.
Mixed Active content (a.k.a. Mixed Script content)
Mixed Active content is the HTTP content in the HTTPS page that modifies the DOM tree, such as JavaScript, CSS, XMLHttpRequest, IFrame, and so on. These HTTP content is modified by the middleman, may affect the security of the original HTTPS content, resulting in the theft of sensitive user data. Firefox will therefore block Mixed Active Content by default.
Deep thinking
Why is Frame supposed to be Mixed Active Content?
The reason why Frame cannot be classified as Mixed Passive Content is mainly for the following reasons: A frame can jump to the fake page of malicious stealing information by forwarding the outer reliable HTTPS page. If an HTTPS page is nested with an HTTP frame, and the frame contains a form to enter user information, the user information will be transmitted in HTTP, the risk of being stolen by an intermediary attacker, and the user is unaware that everything is in secure HTTPS.
How to determine Mixed Content is Active or Passive?
Whether the Mixed Content affects the DOM structure of the page. (Yes, Active, No, Passive)
(technology sharing) resolves an issue in which Firefox displays "blocked loading mixed activity content"