You read my mind -- thanks!
Alex
On Fri, Sep 15, 2017 at 1:16 PM, Christoph Kerschbaumer <ckers...@gmail.com>
wrote:
>
> On Sep 15, 2017, at 7:14 PM, Alex Gaynor <agay...@mozilla.com> wrote:
>
> Hi Christoph,
>
> Great stuff!
>
> Are external applications able to trigger loads of data:, e.g. a desktop
> mail application, via the OS protocol handler facilities?
>
>
> Sorry I forgot to mention that explicitly. Since scammers mostly trick
> users by sending emails, those navigations to data: URIs will also be
> blocked.
>
> Alex
>
> On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer <ckerschb@gmail.
> com> wrote:
>
>> Hey Everyone,
>>
>> we plan to prevent web pages from navigating the top-level window to a
>> data: URI. Historically data: URIs caused confusion for end users; mostly
>> because end users are not aware that data: URIs can encode untrusted
>> content into a URL. The fact that data: URIs can execute JavaScript makes
>> them popular amongst scammers for spoofing and phishing attacks.
>>
>> To mitigate that risk we installed a pref
>> (“security.data_uri.block_toplevel_data_uri_navigations”)
>> which blocks all top-level navigations to a data: URI. We plan to flip that
>> pref in Nightly using “ifdef EARLY_BETA_OR_EARLIER”. In a few weeks we will
>> evaluate whether we can flip on that change in behavior for FF57 or whether
>> we are going to wait to ship that change in behavior till FF58.
>>
>> In more detail, the following cases will be:
>> BLOCKED:
>> * Navigating to a new top-level data: URI document using:
>> - window.open("data:...");
>> - window.location = "data:..."
>> - clicking <a href="data:..." (including ctrl+click, 'open-link-in-*',
>> etc).
>> * Redirecting to a new top-level data: URI document using:
>> - 302 redirects to "data:..."
>> - meta refresh to "data:..."
>>
>> ALLOWED:
>> * User explicitly entering/pasting "data:..." into the URL bar
>> * Opening "data:image/*" in top-level window, unless it's
>> "data:image/svg+xml"
>> * Opening “data:application/pdf” in top-level window
>> * Downloading a data: URI, e.g. 'save-link-as' of "data:..."
>>
>> Our telemetry indicates that Firefox would have blocked 0.01% of all
>> loads in 55 release. It’s unfortunate that the permalink [1] for
>> DOCUMENT_DATA_URI_LOADS stopped working today, so you have to take my word
>> for it. To be fair, those telemetry numbers include all top-level data: URI
>> navigations. Recently we have refined our blocking mechanism and
>> deactivated blocking data:image/* loads as well as data:application/pdf, so
>> we expect the blockage number to be even smaller.
>>
>> Please note that IE/Edge never supported data: URI navigations [2].
>> Chrome started to print a deprecation warning for top-level data: URI
>> navigations within M57 and started to block such navigations within M60.
>>
>> Overall progress of the project will be tracked here:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 <h
>> ttps://bugzilla.mozilla.org/show_bug.cgi?id=1380959>
>>
>> Thanks,
>> Christoph
>>
>> [1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX>
>> [2] https://msdn.microsoft.com/en-us/library/cc848897.aspx <
>> https://msdn.microsoft.com/en-us/library/cc848897.aspx>
>>
>> _______________________________________________
>> dev-platform mailing list
>> dev-platform@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>
>
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
