Skip to main content
Blackboard Help

Browser Security and Mixed Content

 Google Chrome and Mozilla FireFox have implemented Mixed Content Blocking processes to protect computers from security attacks exposed via unsecured content referrenced from secured pages.

Security: Mixed Content in Web Site Pages

What is Mixed Content and Why Does This Matter?

Websites that ask for sensitive information, such as usernames and passwords, often use secure (https) connections to transmit content to and from the computer you're using. If you're visiting a site via a secure connection both Google Chrome and Firefox verify that the content on the webpage has been transmitted safely. If either browser detects certain types of content on the page coming from insecure (http) channels, the browser will automatically prevent the content from loading and you'll see a shield icon appear in the address bar.

By blocking the content and possible security gaps, Chrome and Firefox protects your information on the page from falling into the wrong hands.

Mixed Content Types

There are two types of content that impacts the user experience of viewing a web page and in the context of Mixed Content each has various levels of risk:

Mixed Passive Content or Display Content

Mixed Passive Content is HTTP Content on an HTTPS website that cannot alter the Document Object Model (DOM) of the webpage.  More simply stated, Passive HTTP content has a limited effect on the HTTPS website.  For example, an attacker could replace an image served over HTTP with an inappropriate image or a misleading message to the user. However, the attacker would not have the ability to affect the rest of the webpage, only the section of the page where the image is loaded.

An attacker may infer information about user browsing activity by observing which images are served to the user, thus deriving pages viewed. Also, by observing HTTP headers sent to retrieve and deliver the image the attacker may view the user agent string and any cookies associated with the domain the image is requested from. If the content is served from the same domain as the main webpage, then session information is potentially exposed circumventing the protection HTTPS provides to the user account.

Examples of Passive Content are images, audio, and video loads.

Mixed Active Content or Script Content

Active Content is content that has access to and can affect all or parts of the Document Object Model (DOM) of an HTTPS page. This type of mixed content can alter the behavior of an HTTPS page and potentially steal sensitive data from the user. In addition to the risks already described for Mixed Passive Content above, Mixed Active Content is also exposed to a number of potential attack vectors.

Example: A Man In The Middle (MITM) attacker can intercept requests for HTTP active content. The attacker can then re-write the response to include malicious JavaScript code. Malicious script can steal the user’s credentials, acquire sensitive data about the user, or attempt to install malware on the user’s system (by leveraging vulnerable plugins the user has installed, for example).

Examples of Active Content are JavaScript, CSS, objects, xhr requests, iframes, and fonts.

Eliminating the Need for User Browser Controls

To eliminate the need for User controls all content, Passive and Active, should be served over HTTPS.

Browser Management of Mixed Content by Browser...

The following sections describe how to manage browser controls for accessing Mixed Content for Google Chrome and Mozilla Firefox browsers.

Following the example pages at you will see the impact of mixed content on the user browsing experience and understand the impact browser settings have on page rendering.

Note that mixed content blocking concepts are similar across browsers and that the management of access and levels of information are the main differences between browsers supporting mixed content blocking.

Visit the section that applies to your browser for details.