Data URL navigations on top level window will now be blocked

Published: | Categories: DOM Privacy & Security

Description

Data URLs, URLs prefixed with the data: scheme allowing to embed small data files on web pages, are sometimes exploited for phishing attacks, because such kinds of URLs are able to contain a legitimate address string while showing disguised content in the browser.

In order to mitigate the security risk, Firefox will soon block navigation attempts that will otherwise open a data URL in the top level browser window. This change will affect the following scenarios:

  • A data URL link on a page is clicked manually or programmatically
  • A page tries to load a data URL with location.href, location.assign() or location.replace()
  • A page tries to load a data URL in a new tab with window.open()
  • A frame content tries to load a data URL in the top level window or in a new tab

Note that non-SVG images, PDF, JSON and plain text files are whitelisted so those data URL navigations are always allowed.

Meanwhile, these operations will not be affected:

  • A user manually types a data URL in the Address Bar to tries to load the content
  • A page tries to load a data URL in a <frame> or <iframe>
  • A page uses a data URL for an image or other assets
  • A page triggers a data file download

References