Firefox 23, released today, contains the usual mix of security work, standards conformance improvements, and minor bug fixes that we've come to expect from the regular browser releases. On top of these, it sports a trio of changes that you might actually notice.
Most visible of all, Firefox has a new icon. Don't worry—the lovable firefox is still embracing the globe and still has its back rudely turned toward us. The blue marble is, however, much less shiny than it once was.
The other changes are both important for their security implications. First, Firefox at last follows the lead of Internet Explorer and Chrome, blocking mixed use of (non-secure) HTTP content from (secure) HTTPS pages.
Internet Explorer has defaulted to blocking mixed content for many years, showing a warning each time it does so. In times gone by these warnings were dialog boxes; in current versions of the browser, they're shown as information bars along the bottom of the page. Other browser vendors, however, continued to freely load the insecure content.
Chrome 14 betas, in June 2011, started showing warnings when loading insecure scripts from HTTPS pages. The block-by-default behavior was first rolled out in Chrome 19. The protection was strengthened in Chrome 21, with stricter blocking and a less invasive UI.
Firefox's protection splits content into two kinds: "active" content (including scripts, stylesheets, and content embedded in frames) and "passive" content (such as images and videos). By default, Firefox 23 will only block the mixed active content, as in principle, the mixed passive content shouldn't pose a security threat.
When content is blocked, rather than showing a highly visible alert (as Internet Explorer does, and Chrome did prior to version 21), a grey shield will be placed in the address bar. Clicking the shield will reveal information about what was blocked and allow unblocking. This is very similar to the system that Google uses in Chrome 21 and beyond.