Mixed Content

Mixed Content

W3C Last Call Working Draft, 13 November 2014

This specification describes how user agents should handle rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.

Table of Contents

1. Introduction

This section is not normative.

When a user successfully loads a resource from over a secure channel (HTTPS, for example), the user agent is able to make three assertions critical to the user’s security and privacy:

Together, these assertions give the user some assurance that is the only entity that can read and respond to her requests (caveat: without shocking amounts of work) and that the bits she’s receiving are indeed those that actually sent.

The strength of these assertions is substantially weakened, however, when the encrypted and authenticated resource requests subresources (scripts, images, etc) over an insecure channel. Those resource requests result in a resource whose status is mixed, as insecure requests are wide open for man-in-the-middle attacks. This scenario is unfortunately quite common.

This specification details how user agents can mitigate these risks to security and privacy by limiting a resource’s ability to inadvertently communicate in the clear.

Note: Nothing described in this document is really new; everything covered here has appeared in one or more user agents over the years: Internet Explorer led the way, alerting users to mixed content since at least version 4.

2. Key Concepts and Terminology

2.1. Terms defined by this specification

mixed content
A resource is said to be mixed content if the resource’s origin is insecure, and the the context responsible for loading it restricts mixed content.
The image is mixed content when loaded by

The image is mixed content when loaded by

potentially secure origin
potentially secure URL
An origin is said to be potentially secure if the origin’s scheme component is HTTPS, WSS, or about.

A URL whose origin is potentially secure is itself considered to be potentially secure.

a priori insecure origin
a priori insecure URL
Any origin which is not potentially secure is said to be a priori insecure. We know, for example, that is insecure just by looking at its scheme component.

A URL whose origin is a priori insecure is itself considered to be a priori insecure.

insecure origin
insecure URL
An resource’s origin is said to be insecure if it is either a priori insecure, or the user agent discovers only after performing a TLS-handshake that the TLS-protection offered is either weak or deprecated.

A URL whose origin is insecure is itself considered to be insecure.

deprecated TLS-protection
A resource’s TLS-protection is said to be deprecated if it is not weakly TLS-protected, but the user agent chooses to refuse it anyway. This determination is vendor-specific.

For example, a user agent may choose to reject resources for which the server presented a publicly-trusted certificate for an "Internal Name" (e.g. https://intranet/), a certificate with an overly-long validity period, a certificate signed with SHA-1, or a certificate which otherwise fails to meet the CA/Browser Forum’s Baseline Requirements. [CAB]

Note: We recommend that user agents return network errors rather than fetching resources whose TLS-protection is deprecated.

2.2. Terms defined by reference

weakly TLS-protected
These terms are defined in §5.2 of "Web Security Context: User Interface Guidelines" [WSC-UI]. A resource is TLS-protected when it is delivered over an encrypted channel. Weakly TLS-protected refers to a subset of those resources delivered over a channel that doesn’t offer strong protection of the content.

For example, resources would be considered weakly TLS-protected when delivered by a server presenting a self-signed certificate which does not chain to a root certificate in the user agent’s local trust store, as such a certificate only weakly authenticates the server. Similarly, a server which negotiates down to a weak cipher suite (such as TLS_RSA_WITH_NULL_MD5) would only weakly protect resources it serves.

Note: We recommend that user agents return network errors rather than fetching resources whose TLS-protection is weak.

An origin defines the scope of authority or privilege under which a resource operates. It is defined in detail in the Origin specification. [RFC6454]
globally unique identifier
This term is defined in Section 4 of RFC6454. [RFC6454]

Note: URLs that do not use hierarchical elements as naming authorities (for example: blob:, and data:) have origins which are globally unique identifiers. [URI]

"fetching" is the process by which a user agent requests resources, and delivers responses. It is defined in detail in the Fetch living standard. [FETCH]
request client
request context
request context frame type
request client TLS state
response TLS state
These terms are defined in Section 2.2 of the Fetch living standard. [FETCH]
network error
These terms are defined in detail in Section 2.3 of the Fetch living standard. [FETCH]
environment settings object
Defined in [HTML5].
embedding document
Given a Document A, the embedding document of A is the Document through which A’s browsing context is nested.

3. Content Categories

In a perfect world, user agents would be required to block all mixed content without exception. Unfortunately, that is impractical on today’s internet. For instance, a survey in 2013 notes that blocking mixed content would break around ~43% of secure websites in one way or another [DANGEROUS-MIX]. Draconian blocking policies applied to some types of mixed content are (for the moment) infeasible. User agents need to be more nuanced in their restrictions.

With that in mind, we here split mixed content into two categories defined in the following two sections: §3.2 Blockable Content and §3.1 Optionally-blockable Content.

Future versions of this specification will update these categories with the intent of moving towards a world where all mixed content is blocked; that is the end goal, but this is the best we can do for now.

3.1. Optionally-blockable Content

A resource is considered optionally-blockable content when the risk of allowing its usage as mixed content is outweighed by the risk of breaking significant portions of the web. This could be because mixed usage of the resource type is sufficiently high, or because the resource is very clearly low-risk in and of itself. This category of content includes:

These resource types map to the following Fetch request contexts: audio, image, prefetch, and video. These contexts are optionally-blockable request contexts.

Note: The fact that these resource types are optionally-blockable does not mean that they are safe, simply that they’re less catastrophically dangerous than other resource types. For example, images and icons are often the central UI elements in an application’s interface. If an attacker reversed the "Delete email" and "Reply" icons, there would be real impact on users.

Note: We further limit this category in §5.2 Should fetching request be blocked as mixed content? by force-failing any CORS-enabled request. This means that mixed content images loaded via <img crossorigin ...> will be blocked. This is a good example of the general principle that a category of content falls into this category only when it is too widely used to be blocked outright. The working group intends to find more blockable subsets of an otherwise optionally-blockable request context.

3.2. Blockable Content

Any resource that isn’t optionally-blockable is considered blockable content. A non-exhaustive sample of content that falls into this category includes:

These resource types map to the following Fetch request contexts: beacon, cspreport, download, embed, eventsource, favicon, fetch, font, form, frame, hyperlink, iframe, imageset, location, manifest, object, ping, plugin, script, serviceworker, sharedworker, subresource, style, track, worker, xmlhttprequest, and xslt. These contexts are the blockable request contexts.

Note: The request contexts form, hyperlink, and location might refer to top-level browsing context navigations, which are not considered mixed content. See the treatment of request context frame type in §5.2 Should fetching request be blocked as mixed content? for details.

3.3. Future Contexts

This document exhaustively categorizes the request contexts currently defined in the Fetch specification. It is the intention of the Working Group that any new content types defined in the future be prevented from loading as mixed content. To that end, any request context which is not explicitly listed in the preceeding content categories MUST be considered a blockable request context.

4. User Agent Requirements

4.1. Resource Fetching

User agents SHOULD reject weakly TLS-protected resources entirely by failing the TLS handshake, or by requiring explicit user acceptance of the risk (for instance, presenting the user with a confirmation screen she must click through).

If a Document's incumbent settings object restricts mixed content, or the relevant settings object for a script restricts mixed content, then fetching resource in response to requests (including not only requests for a Document's subresources, but also requests made from (Workers, SharedWorkers, Service Workers, and so on) will exhibit the following behavior:

  1. Requests for blockable resources from an a priori insecure origin will not generate network traffic, but will instead return a synthetically generated network error response.
  2. Responses to requests for blockable resources from an insecure origin will not be delivered to the request client, but instead will return a synthetically generated network error response.

§7 Integration with Fetch and §5 Insecure Content in Secure Contexts detail how these fetching requirements could be implemented.

User agents MAY take further action:

  1. Requests for optionally-blockable resources which are mixed content SHOULD be treated as blockable (and therefore returned as a network error as described above), but user agents MAY allow them to load normally.

    Note: For instance, a user agent could interpret the presence of a Strict-Transport-Security header field as forcing all content into the blockable category. [RFC6797]

  2. Requests for optionally-blockable resources which are mixed content MAY be modified to reduce the risk to users. For example, cookies and other authentication tokens could be stripped from the requests, or the user agent could automatically change the protocol of the requested URL to HTTPS in certain cases.

4.2. Script APIs

If the relevant settings object for a script script restricts mixed content, then user agents will model a mixed content failure as a network error. This means that:

  1. An XMLHttpRequest rejected as mixed content will run the steps for a network error during execution of the send() method. [XMLHTTPREQUEST]
  2. An EventSource connection rejected as mixed content will cause the user agent to fail the connection. [EVENTSOURCE]
  3. When processing WebSocket’s constructor, for an a priori insecure origin, a SecurityError exception will be thrown. [WEBSOCKETS]

4.3. Form Submission

If a Document's incumbent settings object restricts mixed content, then user agents MAY choose to warn users of the presence of one or more form elements with action attributes whose values are insecure URLs.

Note: Chrome, for example, currently gives the same UI treatment to a page with an insecure form action as it does for a page that displays an insecure image.

Further, user agents MAY optionally treat form submissions in the top-level browsing context from a Document whose incumbent settings object restricts mixed content as a request for blockable content to protect users from accidental data leakage.

4.4. UI Requirements

If a request for an optionally-blockable resource which is mixed content is not treated as blockable, then the user agent MUST NOT provide the user with a visible indication that the top-level browsing context which loaded that resource is secure (for instance, via a green lock icon). The user agent SHOULD instead display a visible indication that mixed content is present.

This requirement explicitly includes any visible indication of the top-level browsing context’s EV status. [CAB]

4.5. User Controls

User agents MAY offer users the ability to directly decide whether or not to treat all mixed content as blockable (meaning that even optionally-blockable would be blocked in a mixed context).

Note: It is strongly recommended that users take advantage of such an option if provided.

User agents MAY offer users the ability to override its decision to block blockable mixed content on a particular page.

Note: Practically, user agents probably can’t get away with not offering such a back door. That said, allowing mixed script is in particular a very dangerous option, and user agents REALLY SHOULD NOT [RFC6919] present such a choice to users without careful consideration and communication of the risk involved.

5. Insecure Content in Secure Contexts

5.1. Does settings object restrict mixed content?

Both documents and workers have environment settings objects which may be examined according to the following algorithm in order to determine whether they restrict mixed content. This algorithm returns Restricts Mixed Content or Does Not Restrict Mixed Content, as appropriate.

Given an environment settings object settings:

  1. If settings' TLS state is not unauthenticated, then return Restricts Mixed Content.
  2. If settings has a responsible document document, then:
    1. While document has an embedding document:
      1. Let document be document’s embedding document.
      2. Let embedder settings be document’s incumbent settings object.
      3. If embedder settings' TLS state is not unauthenticated, then return Restricts mixed content.
  3. Return Does Not Restrict Mixed Content.
If a document has an embedding document, user agents need to check not only the document itself, but also the top-level browsing context in which the document is nested, as that is the context which controls the user’s expectations regarding the security status of the resource she’s loaded. For example: loads The insecure request will be allowed, as was not loaded over a secure connection. loads The insecure request will be blocked, as was loaded over a secure connection. frames, which loads In this case, the insecure request to will be blocked, as was loaded over a secure connection, even though was not. frames a data: URL, which loads In this case, the insecure request to will be blocked, as was loaded over a secure connection, even though the framed data URL was not.

5.2. Should fetching request be blocked as mixed content?

Note: The Fetch specification hooks into this algorithm to determine whether a request should be entirely blocked (e.g. because the request is for blockable content, and we can assume that it won’t be loaded over a secure connection).

Given a request request, a user agent determines whether the Request request should proceed or not via the following algorithm:

  1. Let context be request’s context.
  2. Let frame type be request’s context frame type.
  3. Let origin be the origin of request’s URL.
  4. If request’s client does not restrict mixed content, return allowed.
  5. If request’s context frame type is top-level, return allowed.
  6. If origin is a priori insecure:
    1. If request’s mode is CORS or CORS-with-forced-preflight, return blocked.
    2. If context is a blockable request context, return blocked.
    3. If the user agent is configured to block optionally-blockable mixed content, return blocked.
  7. Otherwise, origin is potentially secure, so return allowed.

5.3. Should response to request be blocked as mixed content?

Note: If a request proceeds, we still might want to block the response based on the state of the connection that generated the response (e.g. because the response is for blockable content, but the server is insecure). This algorithm is used to make that determination.

Given a request request and response response, the user agent determines what response should be returned via the following algorithm:

  1. If request’s client does not restrict mixed content, return allowed.
  2. Let context be the request context of request.
  3. If context is an blockable request context or the user agent is configured to block optionally-blockable mixed content:
    1. If response’s TLS state is not authenticated, return blocked.

      Note: This covers both cases in which unauthenticated resources are requested, as well as cases in which the TLS handshake succeeds, and the resource exceeds the definition of weakly TLS-protected, but the user agent chooses to hold it to a higher standard. The definition of deprecated TLS-protection has some examples of these kinds of scenarios.

  4. Return allowed.

6. Secure Contexts for Powerful Features

Tangentially related to a user agent’s handling of insecure resources in secure contexts, certain web platform features that have distinct impact on a user’s security or privacy wish to restrict themselves for use only in sufficiently secure contexts. Service Workers, for instance, may only be registered when the user agent is satisfied that doing so doesn’t put the user at risk.

Here, we define algorithms for such determination.

6.1. May Document use powerful features?

Given a Document document, this algorithm returns Allowed or Not Allowed as appropriate.

  1. While document corresponds to an iframe srcdoc Document, let document be that Document’s browsing context’s browsing context container’s Document.
  2. If document’s active sandboxing flag set has its sandboxed origin browsing context flag set:
    1. Set origin to the origin of document’s address.
  3. If the result of executing the §6.3 Is origin potentially trusted? algorithm on origin is Potentially Trusted, return Allowed.
  4. Return the result of executing the §6.2 May environment settings object use powerful features? algorithm on browsing context’s incumbent settings object.

Note: Sandboxed documents will have a unique origin. This algorithm uses the location of a sandboxed document to determine whether it should be considered authenticated. That is, the document inside <iframe src="" sandbox="allow-script"> would be considered to allow powerful features.

6.2. May environment settings object use powerful features?

Given an environment settings object settings, this algorithm returns Allowed if powerful features may be used in the object’s context, and Not Allowed otherwise.

  1. If settings' TLS state is authenticated, return Allowed.
  2. Otherwise:
    1. Let origin be settings' origin.
    2. If the result of executing the §6.3 Is origin potentially trusted? algorithm on origin is Potentially Trusted, return Allowed.
  3. Return Not Allowed.

6.3. Is origin potentially trusted?

Certain origins are impossible for a user agent not to place trust in. In particular, file: URLs and the loopback interface both expose aspects of the machine on which the user agent is running. The user agent has no choice but to trust these origins.

Certain user agents extend this trust to other, vendor-specific URL schemes like app: or chrome-extension:.

Given an origin origin, the following algorithm returns Potentially Trusted or Not Trusted as appropriate.

  1. If origin is a potentially secure origin, return Potentially Trusted.

    Note: The origin of blob: and filesystem: URLs is the origin of the context in which they were created. Therefore, blobs created in an potentially secure origin will themselves be potentially secure. The origin of data: and javascript: URLs is an opaque identifier, which will not be considered potentially secure.

  2. If origin’s host component is localhost, return Potentially Trusted.
  3. If origin’s host component matches one of the CIDR notations or ::1/128 [RFC4632], return Potentially Trusted.
  4. If origin’s scheme component is file, return Potentially Trusted.
  5. If origin’s scheme component is one which the user agent considers to be authenticated, return Potentially Trusted.

    Note: This is meant to cover vendor-specific URL schemes whose contents are authenticated by the user agent. For example, FirefoxOS application resources are referred to with an URL whose scheme component is app:. Likewise, Chrome’s extensions and apps live on chrome-extension: schemes. These could reasonably be considered trusted origins.

  6. Return Not Trusted.

7. Integration with Fetch

When fetching resources, the mixed content checks described in the algorithms above should be inserted at the top of the Fetch algorithm to block network traffic to a priori insecure origins, and at the bottom of the algorithm, to block responses from insecure origins.

Fetch calls the algorithm defined in §5.2 Should fetching request be blocked as mixed content? during Step 4 of the Fetching algorithm. [FETCH]

Note: Hooking into Fetch here ensures that we catch not only the initial request, but all redirects as well. That is certainly the intent.

Further, Fetch calls the algorithm defined in §5.3 Should response to request be blocked as mixed content? during Step 7 of the Fetching algorithm. [FETCH]

Note: This hook is necessary to detect resources modified or synthesized by a ServiceWorker, as well as to determine whether a resource is insecure once the TLS-handshake has finished. See steps 4.1 and 4.2 of the algorithm defined in §5.3 Should response to request be blocked as mixed content? for detail.

8. Modifications to WebSockets

The WebSocket() constructor algorithm [WEBSOCKETS] is modified as follows:

The Establish a WebSocket Connection algorithm [RFC6455] is modified as follows:

9. Acknowledgements

In addition to the wonderful feedback gathered from the WebAppSec WG, the Chrome security team was invaluable in preparing this specification. In particular, Chris Palmer, Chris Evans, Ryan Sleevi, Michal Zalewski, Ken Buchanan, and Tom Sepez gave lots of early feedback. Anne van Kesteren explained Fetch and helped define the interface to this specification.


