Firefox

17302 readers

478 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago

MODERATORS

[email protected]

635

Say (an encrypted) hello to a more private internet. (blog.mozilla.org)

submitted 10 months ago by [email protected] to c/[email protected]

62 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 3 points 10 months ago (1 children)

Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP

I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.

[–] [email protected] 4 points 10 months ago (1 children)

This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.

[–] [email protected] 4 points 10 months ago (1 children)

I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.

My objection was to the "even if a server has HTTPS, some resources will still load over HTTP"

[–] [email protected] 4 points 10 months ago

As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).