SafeLock: Detecting Mixed Content
When a document embeds insecure content, the browser should revoke the capability to display a lock icon from all documents in the same security origin as the contaminated document. This mitigation is possible because the capability to display a lock icon is revocable.
We have implemented a experimental prototype of lock icon revocation as a Firefox browser extension:
In Web 2.0 Security and Privacy (W2SP 2008)
Due to known limitations in Firefox's mixed content detection architecture, SafeLock does not break the lock icon on test 1 and test 6.
Note: Because SafeLock revokes the capability to display an unbroken lock for the remainder of the browsing session, you may need to restart your browser before trying each test case.
If you have suggestions for SafeLock, please send us feedback.