4.1 Block Mixed Active Content

Information

This setting disables the ability to view HTTP content such as JavaScript, CSS, objects, and xhr requests.

Rationale:

Blocking active mixed content minimizes the risk of man-in-the-middle attacks.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration, set security.mixed_content.block_active_content to true:

Type about:config in the address bar

Type security.mixed_content.block_active_content in the filter

Ensure the setting is set as prescribed.

OR

Open the mozilla.cfg file in the installation directory with a text editor

Add the following lines to mozilla.cfg:

lockPref('security.mixed_content.block_active_content', true);

Default Value:

True

See Also

https://workbench.cisecurity.org/files/4299

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8, CSCv7|7.9

Plugin: Windows

Control ID: 8cae7c25f54af5dc2bd97b17a55df7cb885de19a944aef1f4ddbefe2e4a078c6