Feature Request: Blocking HTTP content when using HTTPS

Everything about using Adblock Plus on Mozilla Firefox, Thunderbird and SeaMonkey
Post Reply
Stasis

Feature Request: Blocking HTTP content when using HTTPS

Post by Stasis »

Many SSL-secured websites are only partially encrypted because they connect to standard HTTP websites as well, but I do not see an option in Firefox to deny insecurely delivered content. We can block HTTP completely in Adblock Plus, but this breaks all regular sites. Could you implement a method to restrict filters to HTTPS sites only?
User avatar
Hubird
Posts: 2850
Joined: Thu Oct 26, 2006 2:59 pm
Location: Australia
Contact:

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by Hubird »

On ISO hunt I use

|http://isohunt.com/

to do just that.

But you could also try something like:

|http://$domain=example.com|foo.com|bar.com
lewisje
Posts: 2743
Joined: Mon Jun 14, 2010 12:07 pm

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by lewisje »

If I remember correctly, blocking mixed content is a massive usability issue, which is why Firefox and Safari don't do it, while in various ways Opera, IE, and Chrome actually do it by default but also offer at least a dialog for changing that behavior; still one of the first things I do with a new installation of a computer is change the IE security settings to "Enable" mixed content rather than "Prompt" on it, because that modal dialog, which appears only once per browsing session, is annoying.
There's a buzzin' in my brain I really can't explain; I think about it before they make me go to bed.
Stasis

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by Stasis »

@Hubird

I am asking for the ability to restrict filters based on protocol precisely because the method you propose is so unwieldy, and requires prior knowledge of a website. Using a tool like HTTPS-Finder, I can enforce direct SSL connections to websites I have not yet been to, but I cannot block all HTTP content for these sites with Adblock Plus without breaking all HTTP sites...

@lewisje

Random facts and your personal opinion have nothing to do with the question I posed...
Wladimir Palant

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by Wladimir Palant »

lewisje is right - blocking mixed content is generally a bad idea. Firefox treats mixed content as "no SSL protection" which solves most issues with it. If you propose a feature you should also explain why that feature is useful.

For example, adblockplus.org supports HTTPS for all of its content. However, the YouTube video on the start page doesn't, and same problem with many of the images that users add to their forum posts (imageshack.us, imgur.com and others). What do you hope to achieve by blocking them?
Anti-Ad

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by Anti-Ad »

This is a very useful feature which should be added, but on a per-domain basis. Users could make a quick per-domain selection to block the HTTP content, or they could subscribe to lists of sites whose usability are not impacted by ditching everything still being served over HTTP.

This feature would work in a good combination with HTTPS Everywhere. When HTTPS Everywhere is rerouting all connections to a domain through HTTPS, ABP could do a good job killing off the third-party HTTP content, which is almost always going to be unwanted junk.

Isohunt is a good example. I just looked at that site and everything which might be wanted comes over HTTPS. Isohunt has a rule in HTTPS Everywhere, as does the potentially wanted third party content from Facebook. The only non-HTTPS content on Isohunt is advertising detritus.
Stasis

Re: Feature Request: Blocking HTTP content when using HTTPS

Post by Stasis »

@Wladimir Palant

Blocking HTTP content when connecting to HTTPS sites allows Firefox to establish a full secured connection to those sites, which aids against snooping attacks. Of course, I know that many sites suffer usability issues if HTTP content is blocked, due to drawing content from unsecured connections, but this blocking could also be used to block advertisers on SSL-secured sites. Most average users (I think) expect HTTPS to be secure, but some sites draw their advertisements or tracking scripts from HTTP connections, even though their own content is supposedly encrypted; as you just said, Firefox sees all the content as lacking protection, so users wouldn't know that their information could still be compromised. Regardless, adding protocol restriction to ABP just increases usability, since someone may want to block all images only on HTTPS domains, or all objects on HTTP, etc. I am sure that people would find more uses for it if it were added, than I can think of. Like Anti-Ad said, a subscription list for this could potentially improve general internet security. Thanks for reading! Please let me know if anything I said isn't true (I'm still learning).
Post Reply