Killing Mixed Content HTTPS

[???]

I've been enjoying looking at the error console to see the info on NoScript forcing https on sites that aren't doing it so well by themselves. NoScript's does a great job on sites with mixed content that have a secure version of the not-secure files available, but on some sites that's not the case and the page still renders with mixed content.

From what I can tell, NoScript executes after ABP and RP. Which means that using either program* to block mixed content would render any content that NS could force into a secure connection to be blocked before that would even be possible.

Is there some way to make NS to block mixed content? Actually, I don’t even know if it’s within the purview of NS to do that . . . but having a way within NS to block non-forceable content would really make the https protections complete, kind of like the icing on the cake (or should that be cookies? ).

*both were recommended so tried them: ABP does it well and RP not so much--depends on the site.

[GµårÐïåñ]

You could add sitewide exceptions for those mixed content sites that you wish to regulate with NS instead of ABP and RP. So if you declare and exemption @@ for the site in ABP and allow it under RP, then NS will have control over it and can do its thing. NS is designed to run last as to allow other actions to take place to avoid conflict and/or out of order actions from taking place and ruining the browsing experience. If you want something to make it that far then just allow them via exemptions in the layers that come before it. Same within NS as well, if you want ABE to control something, then allow it in NS first. You get the idea but let me know if you want more elaboration on it.

[???]

Thanks. Sorry it's taken so long to respond. Yup, do understand how to let stuff through to NS. However, may need help figuring out how to get NS to behave as desired. Don't know if ABE is an answer? Tried messing about with it for a while, but with no luck.

Using mozdev.org as an example, is there a way to just use NS to get a secure page?
Here are my tests fom yesterday. Some of the entries are obviously superfluous (e.g. there will be no error console entry if not using NS for HTTPS), but they’re there for easy comparison between the examples.

Went to https or http version of mozdev.org (as noted) = page rendered securely or with mixed content (as noted).
ABP filter used:

Code: Select all

http://$domain=mozdev.org

ABP with filter + NS with force HTTPS
to https = rendered SECURE
ABP blocked:
http://www.mozdev.org/sharedimages/donate_button.gif
http://www.mozdev.org/sharedimages/getfirefox_88x31.png
http://www.mozdev.org/sharedimages/shop_button.gif
http://www.mozdev.org/sharedimages/valid_css_small.gif
http://www.mozdev.org/sharedimages/valid_html_small.gif
ABP didn't block:
https://mozdev.org/sharedimages/donate_button.gif
https://mozdev.org/sharedimages/getfirefox_88x31.png
https://mozdev.org/sharedimages/shop_button.gif
https://mozdev.org/sharedimages/valid_css_small.gif
https://mozdev.org/sharedimages/valid_html_small.gif
https://www.mozdev.org/default.css
https://www.mozdev.org/openx/www/delive ... n=abb3f22d
https://www.mozdev.org/reorg/b-i-f.css
https://www.mozdev.org/reorg/position.css
https://www.mozdev.org/sharedimages/boxen.png
https://www.mozdev.org/sharedimages/feed-icon-12x12.png
https://www.mozdev.org/sharedimages/mozdev-icon.png
https://www.mozdev.org/sharedimages/mozilla-16.png
https://www.mozdev.org/sharedimages/nav_arrow_w.png
https://www.mozdev.org/sharedimages/songbird_button.png
https://www.mozdev.org/skin/color/winter.css
https://www.mozdev.org/skin/default/contact_top50.css
https://www.mozdev.org/skin/default/index4.css
https://www.mozdev.org/skin/default/notes.css
https://www.mozdev.org/skin/default/notes2-layout.css
https://www.mozdev.org/skin/dft2003/print.css
https://www.mozdev.org/skin/winter/mozdev.png
https://www.mozdev.org/skin/winter/winter.css
https://www.mozdev.org/skin/winter/xback.png
error console = 0

to http = rendered SECURE
ABP blocked = same as above
ABP didn’t block = same as above
error console = [NoScript HTTPS] Forcing https on http://mozdev.org/

ABP with filter only
to https = rendered SECURE
ABP blocked = same as above
ABP didn’t block = same as above
error console = 0

to http = rendered MIXED CONTENT and page looks like crap
ABP blocked = same as above plus:
http://www.mozdev.org/default.css
http://www.mozdev.org/openx/www/deliver ... n=abb3f22d
http://www.mozdev.org/sharedimages/mozdev-icon.png
http://www.mozdev.org/skin/default/index4.css
http://www.mozdev.org/skin/dft2003/print.css
http://www.mozdev.org/skin/winter/winter.css
ABP didn’t block = 0
error console = 0

NS with force HTTPS only
to https = rendered MIXED CONTENT
ABP blocked = 0
ABP didn’t block = same as top item above (first item) plus:
http://www.mozdev.org/sharedimages/donate_button.gif
http://www.mozdev.org/sharedimages/getfirefox_88x31.png
http://www.mozdev.org/sharedimages/shop_button.gif
http://www.mozdev.org/sharedimages/valid_css_small.gif
http://www.mozdev.org/sharedimages/valid_html_small.gif
error console = 0*

to http = rendered MIXED CONTENT
ABP blocked = 0
ABP didn’t block = same as one item above (NS only to https)
error console = [NoScript HTTPS] Forcing https on http://mozdev.org/*


In a nutshell:
these render mixed content:
FF to https
NS to https and http
this renders mixed content and broken:
ABP to http
these render securely:
ABP to https
ABP + NS to https and to http


*This data has actually changed since the first time I did the tests a couple of weeks ago. At that point, when going to https with NS by itself (no ABP) the error console was showing NS forcing the 5 http uri's that ABP blocks in the first item here, when going to http it was the same with the additional entry: [NoScript HTTPS] Forcing https on http://mozdev.org/.