Hi Christoph,
Great stuff!
Are external applications able to trigger loads of data:, e.g. a desktop
mail application, via the OS protocol handler facilities?
Alex
On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer <ckers...@gmail.com>
wrote:
> Hey Everyone,
>
> we plan to prevent web pages from navigating the top-level window to a
> data: URI. Historically data: URIs caused confusion for end users; mostly
> because end users are not aware that data: URIs can encode untrusted
> content into a URL. The fact that data: URIs can execute JavaScript makes
> them popular amongst scammers for spoofing and phishing attacks.
>
> To mitigate that risk we installed a pref (“security.data_uri.block_
> toplevel_data_uri_navigations”) which blocks all top-level navigations to
> a data: URI. We plan to flip that pref in Nightly using “ifdef
> EARLY_BETA_OR_EARLIER”. In a few weeks we will evaluate whether we can flip
> on that change in behavior for FF57 or whether we are going to wait to ship
> that change in behavior till FF58.
>
> In more detail, the following cases will be:
> BLOCKED:
> * Navigating to a new top-level data: URI document using:
> - window.open("data:...");
> - window.location = "data:..."
> - clicking <a href="data:..." (including ctrl+click, 'open-link-in-*',
> etc).
> * Redirecting to a new top-level data: URI document using:
> - 302 redirects to "data:..."
> - meta refresh to "data:..."
>
> ALLOWED:
> * User explicitly entering/pasting "data:..." into the URL bar
> * Opening "data:image/*" in top-level window, unless it's
> "data:image/svg+xml"
> * Opening “data:application/pdf” in top-level window
> * Downloading a data: URI, e.g. 'save-link-as' of "data:..."
>
> Our telemetry indicates that Firefox would have blocked 0.01% of all loads
> in 55 release. It’s unfortunate that the permalink [1] for
> DOCUMENT_DATA_URI_LOADS stopped working today, so you have to take my word
> for it. To be fair, those telemetry numbers include all top-level data: URI
> navigations. Recently we have refined our blocking mechanism and
> deactivated blocking data:image/* loads as well as data:application/pdf, so
> we expect the blockage number to be even smaller.
>
> Please note that IE/Edge never supported data: URI navigations [2]. Chrome
> started to print a deprecation warning for top-level data: URI navigations
> within M57 and started to block such navigations within M60.
>
> Overall progress of the project will be tracked here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 <
> https://bugzilla.mozilla.org/show_bug.cgi?id=1380959>
>
> Thanks,
> Christoph
>
> [1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX>
> [2] https://msdn.microsoft.com/en-us/library/cc848897.aspx <
> https://msdn.microsoft.com/en-us/library/cc848897.aspx>
>
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
