You read my mind -- thanks! Alex
On Fri, Sep 15, 2017 at 1:16 PM, Christoph Kerschbaumer <ckers...@gmail.com> wrote: > > On Sep 15, 2017, at 7:14 PM, Alex Gaynor <agay...@mozilla.com> wrote: > > Hi Christoph, > > Great stuff! > > Are external applications able to trigger loads of data:, e.g. a desktop > mail application, via the OS protocol handler facilities? > > > Sorry I forgot to mention that explicitly. Since scammers mostly trick > users by sending emails, those navigations to data: URIs will also be > blocked. > > Alex > > On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer <ckerschb@gmail. > com> wrote: > >> Hey Everyone, >> >> we plan to prevent web pages from navigating the top-level window to a >> data: URI. Historically data: URIs caused confusion for end users; mostly >> because end users are not aware that data: URIs can encode untrusted >> content into a URL. The fact that data: URIs can execute JavaScript makes >> them popular amongst scammers for spoofing and phishing attacks. >> >> To mitigate that risk we installed a pref >> (“security.data_uri.block_toplevel_data_uri_navigations”) >> which blocks all top-level navigations to a data: URI. We plan to flip that >> pref in Nightly using “ifdef EARLY_BETA_OR_EARLIER”. In a few weeks we will >> evaluate whether we can flip on that change in behavior for FF57 or whether >> we are going to wait to ship that change in behavior till FF58. >> >> In more detail, the following cases will be: >> BLOCKED: >> * Navigating to a new top-level data: URI document using: >> - window.open("data:..."); >> - window.location = "data:..." >> - clicking <a href="data:..." (including ctrl+click, 'open-link-in-*', >> etc). >> * Redirecting to a new top-level data: URI document using: >> - 302 redirects to "data:..." >> - meta refresh to "data:..." >> >> ALLOWED: >> * User explicitly entering/pasting "data:..." into the URL bar >> * Opening "data:image/*" in top-level window, unless it's >> "data:image/svg+xml" >> * Opening “data:application/pdf” in top-level window >> * Downloading a data: URI, e.g. 'save-link-as' of "data:..." >> >> Our telemetry indicates that Firefox would have blocked 0.01% of all >> loads in 55 release. It’s unfortunate that the permalink [1] for >> DOCUMENT_DATA_URI_LOADS stopped working today, so you have to take my word >> for it. To be fair, those telemetry numbers include all top-level data: URI >> navigations. Recently we have refined our blocking mechanism and >> deactivated blocking data:image/* loads as well as data:application/pdf, so >> we expect the blockage number to be even smaller. >> >> Please note that IE/Edge never supported data: URI navigations [2]. >> Chrome started to print a deprecation warning for top-level data: URI >> navigations within M57 and started to block such navigations within M60. >> >> Overall progress of the project will be tracked here: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1380959 <h >> ttps://bugzilla.mozilla.org/show_bug.cgi?id=1380959> >> >> Thanks, >> Christoph >> >> [1] https://mzl.la/2x5pGRX <https://mzl.la/2x5pGRX> >> [2] https://msdn.microsoft.com/en-us/library/cc848897.aspx < >> https://msdn.microsoft.com/en-us/library/cc848897.aspx> >> >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform