Dev channel update to 81.0.396.0 is live

josh_bodner 

I see that the option to block Mixed Content has arrived in Dev, which is welcome news for SysAdmins like me trying to keep our network secure.  I'm confused about the implementation though.

The help text says "Insecure content is blocked by default on secure sites", but when I run some tests on BadSSL.com, there seems to be no blocking occurring.  I don't see any sort of warning either.

https://mixed-script.badssl.com/  - HTTPS page loaded script successfully from HTTP

https://very.badssl.com/    - Image loaded from HTTP and form that submits to HTTP on HTTPS page

There is also an inconsistent use of the "Not Secure" address bar icon, which appears on HTTP pages.  It is normally grey and easily missed by the average user. It becomes /!\ Not Secure when you encounter a HTTPS error, which is very eye-catching.  I hope in the future that it will be standard /!\ Not Secure on all HTTP sites to remind users they are visiting unsecure sites. 

If you are not ready to make that step yet, would it at least be possible to add detection for the following major security issues, and show the /!\ Not Secure icon?

http://http-password.badssl.com/  - Password field on HTTP page

http://http-login.badssl.com/  - Login form on HTTP page

http://http-credit-card.badssl.com/  - Credit card input form on HTTP page

--EDIT--      After further testing, it seems that the icon does change for these issues, but only when you activate the element.  Can you promote this check to the initial paint, so no user interaction is required?