
Main *Pale Moon Homepage* Pale Moon Start Page Pale Moon Add-ons Site Pale Moon Developer Site Information Release notes The project > General information Rumor Control Project history Roadmap Pale Moon branding Technical details Screenshots Bounty Program Donations and Support Redistribution Download Pale Moon > Pale Moon Pale Moon Portable Pale Moon language packs Other > 3rd Party Builds Archived versions [DEV] Source code Add-ons Extensions Themes Search Plugins Language Packs More... Tools Pale Moon Sync service Profile Backup tool Pale Moon Commander Pale Moon Tab Groups Flash Protected Mode tool Help Forum F.A.Q. Contact Contact
Mixed content blocking in Pale Moon Pale Moon protects you from attacks by blocking potentially harmful, insecure content on web pages that are supposed to be secure. What is mixed content? When you visit a page served over HTTP, your connection is open for potential eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured. When you visit a page fully transmitted over HTTPS, like your bank, you'll see a green or blue padlock icon in the address bar. This means that your connection is authenticated and encrypted, hence safeguarded from eavesdroppers and man-in-the-middle attacks. However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or potentially modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed” and the padlock will indicate this as such. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't. By default, Pale Moon will allow mixed passive content (images), but will block mixed active content (scripts) because active content can easily be abused to steal sensitive information. If content is blocked this way by Pale Moon, you will see the shield icon letting you know mixed content was blocked. What are the risks of mixed content? An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or even attempt to install malware on your computer. You should normally not allow mixed content on sites that are important to be properly secured, like a store checkout, bank, or eMoney provider. When is mixed content common? In some situations, mixed content can be a common occurrence. For example, if you use webmail to read your e-mail and you've received an HTML e-mail that includes images served over a plain HTTP connection. Always be aware of the potential risks involved even in these situations, and make sure that you check that any login page for your webmail is always fully secure.
Site and contents Copyright © 2009-2023 Moonchild Productions - All rights reserved Pale Moon is subject to the following licensing. Policies: Cookies - User Content - Privacy.

Mixed content blocking in Pale Moon

Pale Moon protects you from attacks by blocking potentially harmful, insecure content on web pages that are supposed to be secure.

What is mixed content?

When you visit a page served over HTTP, your connection is open for potential eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.

When you visit a page fully transmitted over HTTPS, like your bank, you'll see a green or blue padlock icon in the address bar. This means that your connection is authenticated and encrypted, hence safeguarded from eavesdroppers and man-in-the-middle attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or potentially modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed” and the padlock will indicate this as such. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

By default, Pale Moon will allow mixed passive content (images), but will block mixed active content (scripts) because active content can easily be abused to steal sensitive information. If content is blocked this way by Pale Moon, you will see the shield icon letting you know mixed content was blocked.

What are the risks of mixed content?

An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or even attempt to install malware on your computer.
You should normally not allow mixed content on sites that are important to be properly secured, like a store checkout, bank, or eMoney provider.

When is mixed content common?

In some situations, mixed content can be a common occurrence. For example, if you use webmail to read your e-mail and you've received an HTML e-mail that includes images served over a plain HTTP connection. Always be aware of the potential risks involved even in these situations, and make sure that you check that any login page for your webmail is always fully secure.