Firefox 23, released today, contains the usual mix of security work, standards conformance improvements, and minor bug fixes that we've come to expect from the regular browser releases. On top of these, it sports a trio of changes that you might actually notice.
Most visible of all, Firefox has a new icon. Don't worry—the lovable firefox is still embracing the globe and still has its back rudely turned toward us. The blue marble is, however, much less shiny than it once was.
The other changes are both important for their security implications. First, Firefox at last follows the lead of Internet Explorer and Chrome, blocking mixed use of (non-secure) HTTP content from (secure) HTTPS pages.
Previously, a page loaded over HTTPS in Firefox could freely load JavaScript, CSS, images, and other content from HTTP URLs. This meant that although the page's HTML was secured, its other features, including the scripts it ran, were not. This in turn left users susceptible to attacks that undermined the security that HTTPS should provide.
Internet Explorer has defaulted to blocking mixed content for many years, showing a warning each time it does so. In times gone by these warnings were dialog boxes; in current versions of the browser, they're shown as information bars along the bottom of the page. Other browser vendors, however, continued to freely load the insecure content.
Chrome 14 betas, in June 2011, started showing warnings when loading insecure scripts from HTTPS pages. The block-by-default behavior was first rolled out in Chrome 19. The protection was strengthened in Chrome 21, with stricter blocking and a less invasive UI.
Firefox's protection splits content into two kinds: "active" content (including scripts, stylesheets, and content embedded in frames) and "passive" content (such as images and videos). By default, Firefox 23 will only block the mixed active content, as in principle, the mixed passive content shouldn't pose a security threat.
When content is blocked, rather than showing a highly visible alert (as Internet Explorer does, and Chrome did prior to version 21), a grey shield will be placed in the address bar. Clicking the shield will reveal information about what was blocked and allow unblocking. This is very similar to the system that Google uses in Chrome 21 and beyond.
Arguably on the other side of the security fence, Firefox 23 removes the ability to disable JavaScript in its preferences dialog. That's not to say that Firefox 23 can't disable JavaScript (the setting in about:config still exists and still works, and Firefox 24 will add a feature to the developer tools to disable JavaScript too), but the most easy and obvious way of disabling JavaScript is gone.
The rationale for this change is that disabling JavaScript universally breaks too much of the Web. It's not an option that should be turned on by accident or without understanding the (substantial) functionality repercussions, and as such, it's not appropriate to show it to non-expert users. Users concerned with security are better with an extension such as NoScript, which allows selective blocking of JavaScript without disabling it globally.
Listing image by flowcomm
reader comments
187