initial commit

2 files changed, 323 insertions, 0 deletions

diff --git a/files/th/web/security/index.html b/files/th/web/security/index.html
new file mode 100644
index 0000000000..c00772364d
--- /dev/null
+++ b/files/th/web/security/index.html
@@ -0,0 +1,238 @@
+---
+title: Web security
+slug: Web/Security
+tags:
+  - Landing
+  - NeedsTranslation
+  - Security
+  - TopicStub
+  - Web
+translation_of: Web/Security
+---
+<div class="summary">
+<p>Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. <span class="seoSummary">The web security-oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.</span></p>
+</div>
+
+<h2 id="Content_security">Content security</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/HTTP/CSP">Content security policy (CSP)</a></dt>
+ <dd><strong>Content Security Policy</strong> ({{Glossary("CSP")}}) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting ({{Glossary("XSS")}}) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.</dd>
+</dl>
+
+<h2 id="Connection_security">Connection security</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/Security/Transport_Layer_Security">Transport security layer (TLS)</a></dt>
+ <dd>The Transport Layer Security ({{Glossary("TLS")}}) protocol is the standard for enabling two networked applications or devices to exchange information privately and robustly. Applications that use TLS can choose their security parameters, which can have a substantial impact on the security and reliability of data. This article provides an overview of TLS and the kinds of decisions you need to make when securing your content.</dd>
+ <dt>HTTPS</dt>
+ <dd><strong>HTTPS</strong> (<strong><em>HyperText Transfer Protocol Secure</em></strong>) is an encrypted version of the <a href="https://developer.mozilla.org/en-US/docs/Glossary/HTTP">HTTP</a> protocol. It uses <a href="https://developer.mozilla.org/en-US/docs/Glossary/SSL">SSL</a> or <a href="https://developer.mozilla.org/en-US/docs/Glossary/TLS">TLS</a> to encrypt all communication between a client and a server. This secure connection allows clients to be sure that they are connected with the intended server, and to exchange sensitive data.</dd>
+ <dt><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">HTTP Strict-Transport-Security</a></dt>
+ <dd>The <code>Strict-Transport-Security:</code> <a href="https://wiki.developer.mozilla.org/en/HTTP" title="en/HTTP">HTTP</a> header lets a website specify that it may only be accessed using HTTPS.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Certificate_Transparency">Certificate Transparency</a></dt>
+ <dd><strong>Certificate Transparency</strong> is an open framework designed to protect against and monitor for certificate misissuances. Newly issued certificates are 'logged' to publicly run, often independent CT logs which maintain an append-only, cryptographically assured record of issued TLS certificates.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></dt>
+ <dd>An HTTPS page that includes content fetched using cleartext HTTP is called a <strong>mixed content</strong> page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content">How to fix a website with blocked mixed content</a></dt>
+ <dd>If your website delivers HTTPS pages, all <a href="https://wiki.developer.mozilla.org/en-US/docs/Security/MixedContent#Mixed_active_content" title="/en-US/docs/Security/MixedContent#Mixed_active_content">active mixed content</a> delivered via HTTP on these pages will be blocked by default. Consequently, your website may appear broken to users (if iframes or plugins don't load, etc.). <a href="https://wiki.developer.mozilla.org/en-US/docs/Security/MixedContent#Mixed_passivedisplay_content" title="/en-US/docs/Security/MixedContent#Mixed_passive.2Fdisplay_content">Passive mixed content</a> is displayed by default, but users can set a preference to block this type of content, as well. This page explains what you should be aware of as a web developer.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Secure_Contexts">Secure contexts</a></dt>
+ <dd>A <strong>secure context</strong> is a <code>Window</code> or <code>Worker</code> for which there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are <strong>not</strong> secure is limited. Many Web APIs and features are accessible only in a secure context. The primary goal of secure contexts is to prevent <a class="external external-icon" href="https://en.wikipedia.org/wiki/man-in-the-middle attack" rel="noopener" title="man-in-the-middle attackers">man-in-the-middle attackers</a> from accessing powerful APIs that could further compromise the victim of an attack.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Features restricted to secure contexts</a></dt>
+ <dd>This reference lists the web platform features available only in secure contexts.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Weak_Signature_Algorithm">Weak signature algorithms</a></dt>
+ <dd>The strength of the hash algorithm used in <a class="glossaryLink" href="https://wiki.developer.mozilla.org/en-US/docs/Glossary/Signature/Security" title="signing: A signature, or digital signature, is a protocol showing that a message is authentic.">signing</a> a <a class="glossaryLink" href="https://wiki.developer.mozilla.org/en-US/docs/Glossary/Digital_certificate" title="digital certificate: A digital certificate is a data file that binds a publicly known cryptographic key to an organization.">digital certificate</a> is a critical element of the security of the certificate. This article provides some information about signature algorithms known to be weak, so you can avoid them when appropriate.</dd>
+ <dt>Redirection with 301 and 302 response codes</dt>
+ <dd>to be written</dd>
+</dl>
+
+<h2 id="Data_security">Data security</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/HTTP/Cookies">Using HTTP Cookies</a></dt>
+ <dd>An <dfn>HTTP cookie</dfn> (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example.</dd>
+ <dt><a href="/en-US/docs/Web/API/Web_Storage_API/Local_storage">Local storage</a></dt>
+ <dd>The <code>Window</code> object's <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/API/Window/localStorage" title="The read-only localStorage property allows you to access a Storage object for the Document's origin; the stored data is saved across browser sessions."><code>Window.localStorage</code></a> property is a way for servers to store data on a client that is persistent across sessions.</dd>
+</dl>
+
+<h2 id="Information_leakage">Information leakage</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header policy: privacy and security concerns</a></dt>
+ <dd>There are privacy and security risks associated with the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer">Referer HTTP header</a>. This article describes them and offers advice on mitigating those risks.</dd>
+ <dt>Robots.txt</dt>
+ <dd>to be written</dd>
+ <dt>Site maps</dt>
+ <dd>to be written</dd>
+</dl>
+
+<h2 id="Integrity">Integrity</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></dt>
+ <dd>The <strong>same-origin policy</strong> is a critical security mechanism that restricts how a document or script loaded from one <a href="https://developer.mozilla.org/en-US/docs/Glossary/origin">origin</a> can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.</dd>
+ <dt><a href="/en-US/docs/Web/Security/Subresource_Integrity">Subresource integrity</a></dt>
+ <dd><strong>Subresource Integrity</strong> (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a <a href="https://developer.mozilla.org/en-US/docs/Glossary/CDN">CDN</a>) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.</dd>
+ <dt><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">HTTP Access-Control-Allow-Origin</a></dt>
+ <dd>The <code><strong>Access-Control-Allow-Origin</strong></code> response header indicates whether the response can be shared with requesting code from the given <a href="https://developer.mozilla.org/en-US/docs/Glossary/origin">origin</a>.</dd>
+ <dt><a href="/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options">HTTP X-Content-Type-Options</a></dt>
+ <dd>
+ <p>The <code><strong>X-Content-Type-Options</strong></code> response HTTP header is a marker used by the server to indicate that the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME types</a> advertised in the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type" title="The Content-Type entity header is used to indicate the media type of the resource."><code>Content-Type</code></a> headers should not be changed and be followed. This is a way to opt-out of <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing">MIME type sniffing</a>, or, in other words, to say that the MIME types are deliberately configured.</p>
+ </dd>
+</dl>
+
+<h2 id="Clickjacking_protection">Clickjacking protection</h2>
+
+<p id="sect1">In clickjacking, a user is fooled into clicking on a UI element that performs some action other than what the user expects. </p>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options">HTTP X-Frame-Options</a></dt>
+ <dd>The <strong><code>X-Frame-Options</code></strong> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP">HTTP</a> response header can be used to indicate whether or not a browser should be allowed to render a page in a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame" title="&lt;frame> is an HTML element which defines a particular area in which another HTML document can be displayed. A frame should be used within a &lt;frameset>."><code>&lt;frame&gt;</code></a>, <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" title="The HTML Inline Frame element (&lt;iframe>) represents a nested browsing context, embedding another HTML page into the current one."><code>&lt;iframe&gt;</code></a>, <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/embed" title="The HTML &lt;embed> element embeds external content at the specified point in the document. This content is provided by an external application or other source of interactive content such as a browser plug-in."><code>&lt;embed&gt;</code></a> or <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object" title="The HTML &lt;object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin."><code>&lt;object&gt;</code></a>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.</dd>
+ <dt><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">CSP: frame-ancestors</a></dt>
+ <dd>The HTTP <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" title="The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS)."><code>Content-Security-Policy</code></a> (CSP) <code><strong>frame-ancestors</strong></code> directive specifies valid parents that may embed a page using <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/frame" title="&lt;frame> is an HTML element which defines a particular area in which another HTML document can be displayed. A frame should be used within a &lt;frameset>."><code>&lt;frame&gt;</code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" title="The HTML Inline Frame element (&lt;iframe>) represents a nested browsing context, embedding another HTML page into the current one."><code>&lt;iframe&gt;</code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/object" title="The HTML &lt;object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin."><code>&lt;object&gt;</code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/embed" title="The HTML &lt;embed> element embeds external content at the specified point in the document. This content is provided by an external application or other source of interactive content such as a browser plug-in."><code>&lt;embed&gt;</code></a>, or <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/applet" title="The obsolete HTML Applet Element (&lt;applet>) embeds a Java applet into the document; this element has been deprecated in favor of &lt;object>."><code>&lt;applet&gt;</code></a>.</dd>
+</dl>
+
+<h2 id="User_information_security">User information security</h2>
+
+<dl>
+ <dt><a href="/en-US/docs/Web/Security/Insecure_passwords">Insecure passwords</a></dt>
+ <dd>Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit.</dd>
+ <dt><a href="/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector">Privacy and the :visited selector</a></dt>
+ <dd>Before about 2010, the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/CSS">CSS</a> <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/CSS/:visited" title="The :visited CSS pseudo-class represents links that the user has already visited. For privacy reasons, the styles that can be modified using this selector are very limited."><code>:visited</code></a> selector allowed websites to uncover a user's browsing history and figure out what sites the user had visited. To mitigate this problem, browsers have limited the amount of information that can be obtained from visited links.</dd>
+</dl>
+
+<h2 id="Security-related_glossary_terms">Security-related glossary terms</h2>
+
+<div class="twocolumns">
+<ul>
+ <li>
+  <p>{{Glossary("Block cipher mode of operation")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Certificate authority")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("challenge", "Challenge-response authentication")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cipher")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cipher suite")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Ciphertext")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("CORS")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("CORS-safelisted request header")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("CORS-safelisted response header")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cross-site scripting")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cryptanalysis")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cryptographic hash function")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Cryptography")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("CSP")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("CSRF")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Decryption")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Digital certificate")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("DTLS")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Encryption")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Forbidden header name")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Forbidden response header name")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Hash")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("HMAC")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("HPKP")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("HSTS")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("HTTPS")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Key")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("MitM")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("OWASP")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Preflight request")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Public-key cryptography")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Reporting directive")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Robots.txt")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Same-origin policy")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Session hijacking")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("SQL injection")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("Symmetric-key cryptography")}}</p>
+ </li>
+ <li>
+  <p>{{Glossary("TOFU")}}</p>
+ </li>
+</ul>
+
+<ul>
+ <li>
+  <p>{{Glossary("TLS")}}</p>
+ </li>
+</ul>
+</div>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li><a href="https://lists.mozilla.org/listinfo/dev-security">Mozilla security mailing list</a></li>
+ <li><a href="https://blog.mozilla.com/security/">Security Blog</a></li>
+ <li><a href="https://twitter.com/mozsec">@mozsec on Twitter</a></li>
+</ul>
+
+<p>{{QuickLinksWithSubpages}}</p>
diff --git a/files/th/web/security/mixed_content/index.html b/files/th/web/security/mixed_content/index.html
new file mode 100644
index 0000000000..8992059b18
--- /dev/null
+++ b/files/th/web/security/mixed_content/index.html
@@ -0,0 +1,85 @@
+---
+title: Mixed content
+slug: Web/Security/Mixed_content
+tags:
+  - HTTP
+  - HTTPS
+  - NeedsTranslation
+  - Security
+  - TopicStub
+  - Web
+  - console
+translation_of: Web/Security/Mixed_content
+---
+<p>When a user visits a page served over {{Glossary("HTTPS")}}, their connection with the web server is encrypted with {{Glossary("TLS")}} and is therefore safeguarded from most sniffers and man-in-the-middle attacks. <span class="seoSummary">An HTTPS page that includes content fetched using cleartext HTTP is called a <strong>mixed content</strong> page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.</span> That leaves the pages unsafe.</p>
+
+<h2 id="Types_of_mixed_content">Types of mixed content</h2>
+
+<p>There are two categories for mixed content: <strong>mixed passive/display content</strong> and <strong>mixed active content</strong>. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.</p>
+
+<h3 id="Mixed_passivedisplay_content">Mixed passive/display content</h3>
+
+<p>Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.</p>
+
+<h4 id="Passive_content_list">Passive content list</h4>
+
+<p>This section lists all types of HTTP requests which are considered passive content:</p>
+
+<ul>
+ <li>{{HTMLElement("img")}} (<code>src</code> attribute)</li>
+ <li>{{HTMLElement("audio")}} (<code>src</code> attribute)</li>
+ <li>{{HTMLElement("video")}} (<code>src</code> attribute)</li>
+ <li>{{HTMLElement("object")}} subresources (when an <code>&lt;object&gt;</code> performs HTTP requests)</li>
+</ul>
+
+<h3 id="Mixed_active_content">Mixed active content</h3>
+
+<p><strong>Mixed active content</strong> is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.</p>
+
+<p>In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).</p>
+
+<p>The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.</p>
+
+<h4 id="Active_content_examples">Active content examples</h4>
+
+<p>This section lists some types of HTTP requests which are considered active content:</p>
+
+<ul>
+ <li>{{HTMLElement("script")}} (<code>src</code> attribute)</li>
+ <li>{{HTMLElement("link")}} (<code>href</code> attribute) (this includes CSS stylesheets)</li>
+ <li>{{HTMLElement("iframe")}} (<code>src</code> attribute)</li>
+ <li>{{domxref("XMLHttpRequest")}} requests</li>
+ <li>{{domxref("GlobalFetch.fetch","fetch()")}} requests</li>
+ <li>All cases in CSS where a {{cssxref("url")}} value is used ({{cssxref("@font-face")}}, {{cssxref("cursor")}}, {{cssxref("background-image")}}, and so forth).</li>
+ <li>{{HTMLElement("object")}} (<code>data</code> attribute)</li>
+ <li>{{domxref("Navigator.sendBeacon")}} (<code>url</code> attribute)</li>
+</ul>
+
+<p>Other resource types like web fonts and workers may be considered active mixed content, as they are in Chrome.</p>
+
+<h2 id="Warnings_in_Web_Console">Warnings in Web Console</h2>
+
+<p>The Firefox Web Console displays a mixed content warning message in the Net pane when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in red, along with the text "mixed content", which links to this page.</p>
+
+<p><a class="internal" href="/files/12545/Mixed_content_-_Net_pane.png"><img alt="Screen shot of the web console displaying a mixed content warning." src="https://mdn.mozillademos.org/files/12545/Mixed_content_-_Net_pane.png" style="border-style: solid; border-width: 1px; height: 286px; width: 720px;"></a></p>
+
+<p>As well as finding these warnings in the Web Console, you could use <a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a> to report issues. You could also use an online crawler like <a href="http://www.jitbit.com/sslcheck/" rel="noopener">SSL-check</a> or <a href="https://www.missingpadlock.com/" rel="noopener">Missing Padlock</a> that will check your website recursively and find links to insecure content.</p>
+
+<p>Starting in Firefox 23, mixed active content is blocked by default (and mixed display content can be blocked by setting a preference). To make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the Security pane of the Web Console, as seen below:</p>
+
+<p><a href="/files/5261/blocked-mixed-content-errors.png"><img alt="A screenshot of blocked mixed content errors in the Security Pane of the Web Console" src="https://mdn.mozillademos.org/files/12543/mixed_content_webconsole.png" style="border-style: solid; border-width: 1px; height: 285px; width: 720px;"></a></p>
+
+<p>To fix this type of error, all requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos, and other media.</p>
+
+<div class="note">
+<p><strong>Note</strong>: Since Firefox 55, the loading of mixed content is allowed on http://127.0.0.1/ (see {{bug(903966)}}). Chrome allows mixed content on http://127.0.0.1/ and http://localhost/. Safari does not allow any mixed content.</p>
+</div>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li><a href="https://w3c.github.io/webappsec/specs/mixedcontent/" title="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content - W3C Editor's Draft</a></li>
+ <li><a href="/en-US/docs/Security/Mixed_content/How_to_fix_website_with_mixed_content">How to fix a website with blocked mixed content</a></li>
+</ul>
+
+<p>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</p>