Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.

From Mozilla Firefox Security Technical Implementation Guide

Part of DTBF130 - Non-secure Page Warning

Associated with: CCI-000366

SV-16931r1_rule Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.

Vulnerability discussion

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings.

Check content

Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix text

Ensure the preference “security.warn_leaving_secure" is set to “true” and locked on this setting.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.