> On Sep 15, 2017, at 7:14 PM, Alex Gaynor <agay...@mozilla.com> wrote: > > Hi Christoph, > > Great stuff! > > Are external applications able to trigger loads of data:, e.g. a desktop mail > application, via the OS protocol handler facilities?
Sorry I forgot to mention that explicitly. Since scammers mostly trick users by sending emails, those navigations to data: URIs will also be blocked. > Alex > > On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer <ckers...@gmail.com > <mailto:ckers...@gmail.com>> wrote: > Hey Everyone, > > we plan to prevent web pages from navigating the top-level window to a data: > URI. Historically data: URIs caused confusion for end users; mostly because > end users are not aware that data: URIs can encode untrusted content into a > URL. The fact that data: URIs can execute JavaScript makes them popular > amongst scammers for spoofing and phishing attacks. > > To mitigate that risk we installed a pref > (“security.data_uri.block_toplevel_data_uri_navigations”) which blocks all > top-level navigations to a data: URI. We plan to flip that pref in Nightly > using “ifdef EARLY_BETA_OR_EARLIER”. In a few weeks we will evaluate whether > we can flip on that change in behavior for FF57 or whether we are going to > wait to ship that change in behavior till FF58. > > In more detail, the following cases will be: > BLOCKED: > * Navigating to a new top-level data: URI document using: > - window.open("data:..."); > - window.location = "data:..." > - clicking <a href="data:..." (including ctrl+click, 'open-link-in-*', > etc). > * Redirecting to a new top-level data: URI document using: > - 302 redirects to "data:..." > - meta refresh to "data:..." > > ALLOWED: > * User explicitly entering/pasting "data:..." into the URL bar > * Opening "data:image/*" in top-level window, unless it's > "data:image/svg+xml" > * Opening “data:application/pdf” in top-level window > * Downloading a data: URI, e.g. 'save-link-as' of "data:..." > > Our telemetry indicates that Firefox would have blocked 0.01% of all loads in > 55 release. It’s unfortunate that the permalink [1] for > DOCUMENT_DATA_URI_LOADS stopped working today, so you have to take my word > for it. To be fair, those telemetry numbers include all top-level data: URI > navigations. Recently we have refined our blocking mechanism and deactivated > blocking data:image/* loads as well as data:application/pdf, so we expect the > blockage number to be even smaller. > > Please note that IE/Edge never supported data: URI navigations [2]. Chrome > started to print a deprecation warning for top-level data: URI navigations > within M57 and started to block such navigations within M60. > > Overall progress of the project will be tracked here: > https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1380959> > <https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1380959>> > > Thanks, > Christoph > > [1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX> <https://mzl.la/2x5pGRX > <https://mzl.la/2x5pGRX>> > [2] https://msdn.microsoft.com/en-us/library/cc848897.aspx > <https://msdn.microsoft.com/en-us/library/cc848897.aspx> > <https://msdn.microsoft.com/en-us/library/cc848897.aspx > <https://msdn.microsoft.com/en-us/library/cc848897.aspx>> > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org <mailto:dev-platform@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-platform > <https://lists.mozilla.org/listinfo/dev-platform> _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
