Data URLs, URLs prefixed with the
data: scheme allowing to embed small data files on web pages, are sometimes exploited for phishing attacks, because such kinds of URLs are able to contain a legitimate address string while showing disguised content in the browser.
In order to mitigate the security risk, Firefox will soon block navigation attempts that will otherwise open a data URL in the top level browser window. This change will affect the following scenarios:
- A data URL link on a page is clicked manually or programmatically
- A page tries to load a data URL with
- A page tries to load a data URL in a new tab with
- A frame content tries to load a data URL in the top level window or in a new tab
Note that non-SVG images, PDF, JSON and plain text files are whitelisted so those data URL navigations are always allowed.
Meanwhile, these operations will not be affected:
- A user manually types a data URL in the Address Bar to tries to load the content
- A page tries to load a data URL in a
- A page uses a data URL for an image or other assets
- A page triggers a data file download