
Blocking Top-Level Navigations to Data URLs for Firefox 58 - mgliwka
https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-58/
======
eridius
Wouldn't it make more sense just to fix the URL bar to make data URIs look
different? You could even go to the extreme of making it just show "data:…"
and requiring you to put focus on it to find out the full URI.

~~~
userbinator
No kidding... this is a problem they created by hiding/obfuscating the URL
scheme. If the majority of URLs you visit start with [http://](http://) or
[https://](https://), then data: stands out like the proverbial sore thumb.

~~~
beefhash
That requires that you know what you're doing, though. Non-technical people
are probably more inclined to think along the lines of "huh, odd, but
everything looks fine, so it's probably my fault it looks like that"

~~~
ascorbic
In that case why bother with using a data url at all? They could just use
"www.paypal.com.cgi-bin.webscr.xxxxxxxxx.myevilsite.com"

~~~
beefhash
That way, they don't have to bother with a domain registration, either. A
domain registration is neither free of charge nor entirely free of risk.

~~~
code_duck
They could just create subdomains on a compromised domain they control
belonging to someone else.

------
discreditable
I'm glad they aren't blocking explicit entries. This morning I discovered I
could quickly send snippets of text to my phone by writing it as a data uri
and sending the tab via Fx sync.

~~~
Jach
On linux boxes, for small snippets I use 'qrencode -t ansi "message"' and use
a QR scanner app to read the text to my phone...

~~~
Mayzie
Alternatively for Android, you could enable KDE Connect[1] and copy the text
to the clipboard (which will then be copied to the Android clipboard, and
vice-versa). Or easily put it in a file and transfer it over to your device.

[1] -
[https://community.kde.org/KDEConnect](https://community.kde.org/KDEConnect)

~~~
yoodenvranx
KDE Connect is one of the programs I can't live without anymore!

------
tetromino_
Depending on how exactly this block works, it may break an important
functionality of our application :/

We generate SVG graphs in the browser, and have a button with a
data:image/svg+xml URL to allow users to download these graphs, for example to
include in a publication.

~~~
dfabulich
You’re fine.

> _Whereas the following cases will be allowed:_

> _• Downloading a data: URL, e.g. ‘save-link-as’ of “data:…”_

~~~
jacobn
That sounds like the user will have to right-click and choose "Save As"?

~~~
chrismorgan
I presume the `download` attribute will still work, as it’s not navigation:

    
    
      <a href="data:image/svg+xml,…" download="filename.svg">

~~~
tetromino_
And that "I presume" instead of "I am quite certain" is precisely why I said I
was worried about exactly how this block works. I will need to try with the
beta, I suppose.

~~~
potch
I can confirm <a download> links with data: URIs will work after this change.

I built a test to demonstrate: [https://data-uri-
test.glitch.me/](https://data-uri-test.glitch.me/)

~~~
tetromino_
Thanks for checking and the reassurance!

------
daurnimator
Hrm, I think this will block the only data uri I use: the 'this form' button
on [http://sprunge.us/](http://sprunge.us/)

~~~
rossy
Yeah, the form on [http://sprunge.us/](http://sprunge.us/) is blocked for me
in Firefox 58.0b7, which is kind of annoying because I used it regularly. If
this is a phishing problem, couldn't it be fixed by changing UI rather than
breaking functionality?

------
badrabbit
Thank you so much for this mozilla. It is ridiculously easy to trick even tech
savvy users with a data: uri phish.

------
theandrewbailey
Hopefully data:image/ still works for favicons. Embedding a highly
compressible ~450 byte string in HTML is faster than issuing a new request,
under most instances.

~~~
tinus_hn
I’m not sure Firefox even uses favicons anymore but that definitely isn’t
navigation so it isn’t blocked.

~~~
giancarlostoro
It does, not sure why you would think it doesn't? I do know chrome gets
annoying about them, always requesting a sites favicon even when it doesn't
have one listed in the document.

~~~
tinus_hn
I haven’t seen them in the UI while I remember them being shown quite
prominently. I wouldn’t really expect them to be used only for sites added to
favorites because that’s a privacy issue.

~~~
giancarlostoro
Might be a setting in yours, or a plugin of some sort?

------
chriswarbo
Does anyone have a (non-malicious) example of this sort of "attack"? I don't
quite get it; some people are mentioning Javascript, but the description
sounds more like a phishing, e.g.
`data:text/html;base64,MyBank.com/account/xxxxx`

Presumably such leading junk is hidden in the rendered page, making the user
think they're on MyBank.com?

~~~
Grollicus
I know of a website that decrypts all its content clientside and uses this (i
think) as a mechanism for a user to download his own attachments.

The Idea is that the whole website could be a static file somewhere and the
webserver is only a key value store that has no idea what it is saving.
Doesn't work that way currently because file:/// doesn't allow ajax calls to
somewhere else but that's a solveable problem.

Generally, every download that gets generated clientside by the JS is hit by
this

~~~
fzzzy
This does not affect downloads of data urls, only navigation to data urls.

------
jancsika
> Opening “data:image/*” in top-level window, unless it’s “data:image/svg+xml”

Just curious-- why the exception for svg?

~~~
croddin
I think they block svg but not other images because svgs can contain
javascript and could be used in a phishing attack.

i.e.

    
    
      data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><script>alert('hi')</script></svg>

~~~
jancsika
Oh wow, even if you right-click "View Image" the script gets run.

------
eximius
Hm. But will I still be able to open them from the developer console...?

------
ris
I'm trying to figure out if this will kill Bookmarklets
([https://en.wikipedia.org/wiki/Bookmarklet](https://en.wikipedia.org/wiki/Bookmarklet))

~~~
skykooler
Bookmarklets use javascript: urls, not data: urls.

~~~
ris
So yeah I would have thought so too but am confused over the first few
examples of "blocked" he gives...

~~~
DiThi
Only some bookmarklets that go to a data URL on top level are affected. They
should be easy to modify to open them inside an iframe or to replace the
existing document instead.

