Hey Everyone,
we plan to prevent web pages from navigating the top-level window to a data:
URI. Historically data: URIs caused confusion for end users; mostly because end
users are not aware that data: URIs can encode untrusted content into a URL.
The fact that data: URIs can execute JavaScript makes them popular amongst
scammers for spoofing and phishing attacks.
To mitigate that risk we installed a pref
(“security.data_uri.block_toplevel_data_uri_navigations”) which blocks all
top-level navigations to a data: URI. We plan to flip that pref in Nightly
using “ifdef EARLY_BETA_OR_EARLIER”. In a few weeks we will evaluate whether we
can flip on that change in behavior for FF57 or whether we are going to wait to
ship that change in behavior till FF58.
In more detail, the following cases will be:
BLOCKED:
* Navigating to a new top-level data: URI document using:
- window.open("data:...");
- window.location = "data:..."
- clicking <a href="data:..." (including ctrl+click, 'open-link-in-*', etc).
* Redirecting to a new top-level data: URI document using:
- 302 redirects to "data:..."
- meta refresh to "data:..."
ALLOWED:
* User explicitly entering/pasting "data:..." into the URL bar
* Opening "data:image/*" in top-level window, unless it's "data:image/svg+xml"
* Opening “data:application/pdf” in top-level window
* Downloading a data: URI, e.g. 'save-link-as' of "data:..."
Our telemetry indicates that Firefox would have blocked 0.01% of all loads in
55 release. It’s unfortunate that the permalink [1] for DOCUMENT_DATA_URI_LOADS
stopped working today, so you have to take my word for it. To be fair, those
telemetry numbers include all top-level data: URI navigations. Recently we have
refined our blocking mechanism and deactivated blocking data:image/* loads as
well as data:application/pdf, so we expect the blockage number to be even
smaller.
Please note that IE/Edge never supported data: URI navigations [2]. Chrome
started to print a deprecation warning for top-level data: URI navigations
within M57 and started to block such navigations within M60.
Overall progress of the project will be tracked here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1380959
<https://bugzilla.mozilla.org/show_bug.cgi?id=1380959>
Thanks,
Christoph
[1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX>
[2] https://msdn.microsoft.com/en-us/library/cc848897.aspx
<https://msdn.microsoft.com/en-us/library/cc848897.aspx>
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
