Hi Christoph, Great stuff!
Are external applications able to trigger loads of data:, e.g. a desktop mail application, via the OS protocol handler facilities? Alex On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer <ckers...@gmail.com> wrote: > Hey Everyone, > > we plan to prevent web pages from navigating the top-level window to a > data: URI. Historically data: URIs caused confusion for end users; mostly > because end users are not aware that data: URIs can encode untrusted > content into a URL. The fact that data: URIs can execute JavaScript makes > them popular amongst scammers for spoofing and phishing attacks. > > To mitigate that risk we installed a pref (“security.data_uri.block_ > toplevel_data_uri_navigations”) which blocks all top-level navigations to > a data: URI. We plan to flip that pref in Nightly using “ifdef > EARLY_BETA_OR_EARLIER”. In a few weeks we will evaluate whether we can flip > on that change in behavior for FF57 or whether we are going to wait to ship > that change in behavior till FF58. > > In more detail, the following cases will be: > BLOCKED: > * Navigating to a new top-level data: URI document using: > - window.open("data:..."); > - window.location = "data:..." > - clicking <a href="data:..." (including ctrl+click, 'open-link-in-*', > etc). > * Redirecting to a new top-level data: URI document using: > - 302 redirects to "data:..." > - meta refresh to "data:..." > > ALLOWED: > * User explicitly entering/pasting "data:..." into the URL bar > * Opening "data:image/*" in top-level window, unless it's > "data:image/svg+xml" > * Opening “data:application/pdf” in top-level window > * Downloading a data: URI, e.g. 'save-link-as' of "data:..." > > Our telemetry indicates that Firefox would have blocked 0.01% of all loads > in 55 release. It’s unfortunate that the permalink [1] for > DOCUMENT_DATA_URI_LOADS stopped working today, so you have to take my word > for it. To be fair, those telemetry numbers include all top-level data: URI > navigations. Recently we have refined our blocking mechanism and > deactivated blocking data:image/* loads as well as data:application/pdf, so > we expect the blockage number to be even smaller. > > Please note that IE/Edge never supported data: URI navigations [2]. Chrome > started to print a deprecation warning for top-level data: URI navigations > within M57 and started to block such navigations within M60. > > Overall progress of the project will be tracked here: > https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 < > https://bugzilla.mozilla.org/show_bug.cgi?id=1380959> > > Thanks, > Christoph > > [1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX> > [2] https://msdn.microsoft.com/en-us/library/cc848897.aspx < > https://msdn.microsoft.com/en-us/library/cc848897.aspx> > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform