Stanford Web Security Research

SafeLock: Detecting Mixed Content

Goal

When a document embeds insecure content, the browser should revoke the capability to display a lock icon from all documents in the same security origin as the contaminated document. This mitigation is possible because the capability to display a lock icon is revocable.

We have implemented a experimental prototype of lock icon revocation as a Firefox browser extension:

Documentation

pdf
Beware of Finer-Grained Origins   [BIBTEX]

Test Cases

Due to known limitations in Firefox's mixed content detection architecture, SafeLock does not break the lock icon on test 1 and test 6.

Note: Because SafeLock revokes the capability to display an unbroken lock for the remainder of the browsing session, you may need to restart your browser before trying each test case.

  1. Images
  2. Scripts
  3. Stylesheets
  4. Frames
  5. Scripts in frames
  6. Stylesheets in frames

If you have suggestions for SafeLock, please send us feedback.