Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.

What?

[DontBeAMoran]

Why do they always need to re-invent the wheel? Why can't they use RFC 3514 like everybody else?

Re:What?

It's mozilla. They also can't use x509 like intendet but invent their own rules ("Thou shall not use duplicate serials, evvvorrrr")...

Re:What?

RTFRFC

Re:What?

You were specifically instructed noted to be a Moran ;-)

RFC 3514 is the "Evil Bit" - a joke.

Eat to the Beat!

https://media1.s-nbcnews.com/j...

Re:Eat to the Beat!

Were he actually touching her breasts, you'd not be able to see the shadows beneath his fingertips, genius.

Re:Eat to the Beat!

Was she in FACULTY? The one with Laura Harris (best Daisy Adair eva) in the buff?

Re:Eat to the Beat!

That part (picture) is juvenile. The bad part is the hand on back of head/tongue inserted part. Good thing they weren't simulating sex.

She's a personality, enjoying popularity
For making movies Rated X
Posing for a magazine, picture in a limousine
Someone simulating sex
Never thought that she could be
Lonely with her vanity
Wasted days and lonely nights
Working for the sugar man
Make each other happy man
Cause satisfaction's guaranteed all night

Not that that fits her.

Anyway

[Impy+the+Impiuos+Imp]

So...they are blocking embedded files now?

Web sites like CNN are excruciatingly slow because they are selling your ad space off in real time to a dozen different agencies.

Re:Anyway

[DontBeAMoran]

I think they are blocking data URIs in the URL?

That's what I understand when I read "block navigational data URIs".

I don't see how embedding a base64-encoded string of a PNG image inside a CSS file could be used for phishing.

Re:Anyway

They are only blocking data URLs in the address bar that use "data:text/html,base64" and such.... an obvious phishing trick used to bypass corporate phishing solutions. Trust me. It's a good thing! Data URLs inside pages or CSS files will continue to work.

Re:Anyway

[LucasBC]

They won't be blocking encoded strings for PNG's or other "safe" assets, only encoded strings in top-level data URI navigation (e.g. the address bar, browser history, etc.) and some restricted uses of embedded content such as HTML and JavaScript.

Re:Anyway

No, they're just making it so that clicking on a link to data: URIs won't do anything, unless it's just to trivial inactive content that isn't easily spoofable for use in an XSS/phishing attack. Nothing fancy, really, and Edge and Chrome have agreed to also do it. Evidently they will be focusing on their anti-tracking feature for more advanced stuff.

Re:Anyway

They are blocking it in the address bar, not in the page contents (where they should be safe).

This picture is an example of a full html file embedded in the address bar, you could use it to build a fake login page that looks real and send data wherever you wanted, and gets past many filters because it's encoded.

Here is a more advanced attack that also uses navigation plus embedded javascript in the link to take you to the legitimate site and send your data elsewhere.

Re:Anyway

Not even in the address bar, even. Just preventing a link to a Data URI like that from navigating to it. You can still copy-paste those links into the URL bar if you really wanna, like a good moron (or wiser dev trying to test stuff). I fully expect that to go away too eventually, mind you.

Re: Anyway

Hm. You'll forgive me for not trying those links...

Re:Anyway

[Unordained]

There are legitimate uses for data: URI in the navigational bar, too. I have one that I'll have to recode now, that was the result of having to work around the horrible lack of useful WebDAV support in modern browsers. Popping a new page up in a separate tab (to not mess up a single-page-application) to then do a redirect, etc. was the solution I had to come to, after Firefox killed plugins that don't meet their security requirements (which we don't for our in-house extension, because it uses the Registry and launches apps, to try to get around the same problem of poor WebDAV support -- none of that will get past today's plugin-signing process, so the extension has to die.) Data URI were a quick and easy solution for serving up temporary content in a new tab, which I'll need to replace with some kind of server-hosted page ... not at all impossible, but dang it, I had it working and it was simpler. Phishers ruin it for the rest of us.

Re:Anyway

[Aighearach]

WebDAV, is he still around?!

Re:Anyway

No. They're simply blocking a base64 encoded url (basically something that is profoundly stupid)

eg if my website is http://www.example.com I can base64 encode it to aHR0cDovL3d3dy5leGFtcGxlLmNvbQ== and your browser would load it as if it were clicked on.

Where phishing comes into play here is that you can forge an XSS attach by dropping this into a shitty ad and suddenly every time that ad is loaded, firefox browsers will go off an load it, but the url bar will still say you're on the original site.

Re:Anyway

[Unordained]

Yes, WebDAV is still around. It's not a bad spec, really useful in corporate environments.

I'm seeing complaints about Chrome's disabling of data: in the navigation bar having broken jsPDF, and that makes sense -- if they try to translate a PDF file into HTML client-side and display the temporary result in a new tab, it'll fail. The same would be true if you were generating SVG or PDF content on the fly and pushing it into a new tab for display (graphing libraries, report-generators, etc. that operate client-side rather than server-side).
It does look like they kept the functionality working as long as it's in an IFRAME, but those can get ugly to work with. At least we won't be the only ones scrambling to create workarounds...

Re:Anyway

[Aighearach]

If you're opening it in a new tab, there is no good reason for it; if you're embedding it in a document you're already rendering, there is a potential performance benefit. But if you're loading it in a new tab, the user isn't going to see any benefit; the only thing they gain is that they don't have to choose between using a temp file or using memcache or whatever!

That's easily enough to distract me from teasing poor DAV.

The sad part is, instead of fixing their crap people are just going to use extra JS and still serialize it into the URL.

IMO the problem isn't having the data in the URI, it is having the data in the URL! If it is in the URI or not, who cares? Is it stored somewhere inside the stuff in the location bar of the browser, instead of on a server? That seems the real problem.

Re: Anyway

What is CNN?

Good

They're turning off a garbage hack that should only be applied to email, anyway.

More Mozilla spam

And why is there so much Mozilla spam on here lately? This is not MMN: the Mozilla News Network.

Re:More Mozilla spam

[theweatherelectric]

The Beast adopted new raiment and studied the ways of Time and Space and Light and the Flow of energy through the Universe. From its studies, the Beast fashioned new structures from oxidised metal and proclaimed their glories. And the Beast’s followers rejoiced, finding renewed purpose in these teachings.

-- from The Book of Mozilla, 11:14

Re:More Mozilla spam

[Aighearach]

They're spending a lot of money to try to counteract the negative press over getting rid of extensions.

Re:More Mozilla spam

[lordlod]

Worse, it is Bleeping Computer reposting a Mozilla blog entry and submitting it to Slashdot.

The third example of this I have seen in the last week or so.

Re:More Mozilla spam

[KozmoStevnNaut]

What negative press? The only whining I've seen has come from hopeless shut-in neckbeards who cling on to outdated and obsolete extensions that were last updated 5+ years ago, yet expect them to still work perfectly in a completely re-written browser.

Re:More Mozilla spam

Was the browser totally rewritten, one would hope they'd dropped the "pocket" thing.

Re:More Mozilla spam

[KozmoStevnNaut]

Set "extensions.pocket.enabled" to false in about:config. Voila.

Re:More Mozilla spam

[Aighearach]

Oh, that's interesting. So, you only heard the opinions bouncing off the basement walls? Because the extensions people are talking about are very popular, actively-maintained ones. And huge numbers of people already switched browsers. It is a thing.

Probably nobody ever stopped using KDE or Gnome when they made large unpopular changes, right? Complaints don't matter, because .... ? Because why? Because we don't have any power to choose, or ... ?

Re:More Mozilla spam

[KozmoStevnNaut]

Because the extensions people are talking about are very popular, actively-maintained ones

No, not really. NoScript is probably the only one that really fits that description, and that's coming for FF57 by the end of this week.

All of the others are niche, at best. You may think they're hugely popular, but that's because you're in the tiny sphere of super hardcore nerds who insist on very specific niche extensions, because they think it would be "painful" to do without them. The outcry has been incredibly minor on the grand scale of things, while the praise has been almost completely unanimous.

Re:More Mozilla spam

[Aighearach]

Right, right, it is the same "grand scale of things" on which everybody was just going to keep using IE because it had so much market share.

If the goal is to be dismissive of people with complaints, that is the exact same goal as wanting people to switch browsers. And it does indeed seem achievable.

Re:More Mozilla spam

[KozmoStevnNaut]

No one is being dismissive of people with genuine complaints, only the sadface whiners.

Re:More Mozilla spam

[Aighearach]

Can you comprehend that that is a circular argument, and therefore stupid and idiotic? As long as you know what choice you're making, I don't care.

I don't think I've seen a single complaint that involved caring about what you think, for example. So perhaps we can at least agree that your sociopathic nonsense is off topic.

Re:More Mozilla spam

[KozmoStevnNaut]

A piece of software no longer caters to your 10 years out of date usage pattern. Oh cry me a river.

Re:More Mozilla spam

[Aighearach]

Notice in the complaints, nobody is claiming that there complaint is dependent on your feelies. I don't care what your feelies are.

Why do you think I would find your feelies relevant to my complaint? That's the part you should focus on. Why do you have an emotional attachment to my complaint? My complaint has no emotional attachment to you! That's probably why I shared my opinion, instead of asking you what opinion I should have. Complaining that my opinion exists is just sad; form your own opinion, and have it exist separately from mine, since you don't agree with mine! It is really that easy.

If you learned to think for yourself, you might be able to understand that many others are already thinking for themselves and don't really care about what negative feelies you had when you heard their opinion. It isn't an idea or a counterpoint, it is just pathetic childishness.

Re:More Mozilla spam

[Aighearach]

s/there/their/

Re:More Mozilla spam

[KozmoStevnNaut]

It's kinda funny how you claim you are completely neutral in this, but your post betrays the fact that you're deeply emotionally affected by something as silly as a web browser that doesn't cater 100% to your highly specific use case.

Get a life etc.

Re:More Mozilla spam

[Aighearach]

Nope. My post only shows a reaction to your words. Actually, it is hilarious that you can't comprehend that difference.

I'd explain it, but... yeah. Not much chance of utility.

I think that will affect slashdot

[HermMunster]

I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

Re:I think that will affect slashdot

[green1]

Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

Re:I think that will affect slashdot

Slashdot is not putting data uri's in the navigation bar...

Re:I think that will affect slashdot

[Carewolf]

I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

Why don't you just click the button to disable slashdot ads? I think you get it when you have enough karma.

Re:I think that will affect slashdot

[mjwx]

Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

./ is a bad example. Despite the number of hands its been through in recent years advertising has remained pretty unintrusive.

The sites I hate are the ones that have a popover demanding you disable your adblock so they can bombard you with VIDEO AD AT FULL VOLUME, punch the monkey, malware delivered by advertising, tracking bots, pop ups, pop overs, pop unders, pop reach-arounds, advertising interstitials and one item per page so you have to navigate through 30 pages of ads to get one, maybe two pages of content.

Please keep moving...

[140Mandak262Jamuna]

Browsers like Google Chrome and Microsoft Edge saw the abuse and acted by moving in to block the loading of data URIs inside the URL navigation bar. Now, Mozilla is doing the same for Firefox.

Nothing new

Please keep moving. Nothing to see here.

A Better Headline

[darkain]

A better headline is actually a paragraph header half way through TFA:

"Firefox joins Chrome and Edge in blocking navigational data URIs"

So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

Re:A Better Headline

When did chrome start doing that? Last time I check Chrome still get fake "your computer is infected" pop up through URI and I am using Canary.

Re:A Better Headline

[jez9999]

So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

Yeah, I forgot that the whole reason you develop a browser is to make it exactly the same as all competing browsers. There was me thinking it was about providing users with choice. What a silly notion.

Chrome and Edge already do this

Good thing, too.

Proper uses of data: URIs won't be affected, assuming they use the same techniques that Chrome and Edge use.

What about Blob?

What about the "blob:" URI scheme? I see that being abused too.

The more I hear about Firefox 57

[bobstreo]

The more I realize that I can just import my bookmarks into Chrome and treat FF like I did with the netscape browser so many years ago. Remove the app and forget about it.

The major thing that makes me want to ditch FF is that the extensions and addons in chrome won't just stop working all at once like it will with 57.

Re:The more I hear about Firefox 57

As a very long time Firefox/Firebird/Phoenix user, I do recommend that you stop using Firefox, and avoid upgrading to Firefox 57 if you can't discard it completely yet.

Firefox 57 has been a real disaster for me. Most of my extensions broke. I'm not seeing any performance improvements. I really don't like the new UI.

I've also switched to using Chromium, and I couldn't be happier. Its UI sucks, in my opinion, but at least it's fast and its extension support is now no worse than Firefox's is.

At this point I don't see how Firefox could possibly redeem itself. I really don't see how it could catch up with Chrome. Chrome is just too far ahead now.

Re:The more I hear about Firefox 57

[walllaby]

Mozilla has been stating loudly for YEARS that they would be moving on from the old add-ons. Here's an official post from them in August 2015 about beginning to move in the direction of web extensions: https://blog.mozilla.org/addon... For a browser to compete, it has to be fast, and it has to be safe. Web Extensions tick box #2.

Re:The more I hear about Firefox 57

And Kim has been stating loudly for YEARS that he will be nuking the USA.

Since when does stating for years that you are going to be an asshole make it any more ok?

Firefox is falling so far behind these days.

As a very long time Firefox user I'm getting really disappointed with it these days.

I'm not even going to go into too much detail about how awful Firefox 57 has been for me. Most of my extensions are now broken, and I sure as hell don't see the performance gains that were supposed to be provided by breaking most of my extensions. The new UI is awful, too.

The rare time I hear about something good involving Firefox, it so often turns out that Chrome, Safari and Edge had usually offered that functionality to their users much earlier than Firefox.

It's like Firefox has fallen behind all of its competitors in every major metric, including performance, privacy, security, usability and functionality.

I think we've started seeing this happen because they've been wasting so much time on failures like Pocket, Hello, Rust, Servo, and especially Firefox OS. Every dollar they spend on these unwanted, pointless projects is one less dollar spent improving Firefox in a way that Firefox's users want it improved.

After this disastrous Firefox 57 release, I've finally given up on Firefox completely. Since most of my extensions are now broken, I've switched to Chromium. I wish I had switched earlier! I get a lot better performance, and Chromium just feels like a far more mature and well-built browser than Firefox does.

There's just no point in using Firefox when Chrome, Safari and Edge are so much better in so many important ways.

Re:Firefox is falling so far behind these days.

There are only 2 options for Netflix on desktop Linux: Chrome or Firefox.
I'll stick with the one not made by an advertising company.

Re:Firefox is falling so far behind these days.

[cas2000]

that makes perfect sense - if you want to view the content made by an advertising company it would be totally insane to do it on a browser made by another advertising company.

better option: disable all DRM bullshit, boycott companies that depend upon DRM (and bribe it into web standards), and refuse to watch their programs.

if you really must view videos made by such a company, there's always bit torrent.

Hey retard

Why do you feel the need to tell us that?
I personally found 57 to be the best thing ever, and none of my extensions broke because I was ready for this update 6 months ago. BUT you don't hear me yelling about it on a has-been tech forum.

Anyway thanks for sharing, now fuck off to Chrome.

Re:Hey retard

[bobstreo]

Why do you feel the need to tell us that?
I personally found 57 to be the best thing ever, and none of my extensions broke because I was ready for this update 6 months ago. BUT you don't hear me yelling about it on a has-been tech forum.

Anyway thanks for sharing, now fuck off to Chrome.

Found the Mozilla developer in the thread.

How the fuck are you sure WebExtensions is safe?

How the fuck can you be so sure that this new WebExtensions model, which is essentially the same as Chrome's existing extension model, is actually "safe", like you so emphatically claim?

Slashdot has posted numerous submissions in the past describing problems with Chrome extensions, or Chrome extensions that do things that users may not want them to do.

Here are some examples, since you're probably too foolish to look them up for yourself:

Popular Chrome Extension Embedded A CPU-Draining Cryptocurrency Miner

Chrome Extension Developers Under a Barrage of Phishing Attacks

Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension

Chrome Extension Caught Hijacking Users' Browsers

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store

Amazon One-Click Chrome Extension Snoops On SSL Traffic

I trust the competence of the Chrome developers far more than I do that of the Firefox developers. And so if the Chrome developers have had this much trouble, I really can't see the Firefox developers doing any better, and I can see them doing far worse.

Don't give us this bullshit about WebExtensions being "safe", especially when that hasn't been properly proven in practice yet.

Firefox is not winning over anyone

I want to like Firefox and its new browser. Yes its fast, but it also uses more CPU and GPU vs other browsers, its cold start is typically slow and the fact its only claim to fame is what every other browser already does is really nothing new. At least if you don't like Chrome or Edge for whatever reason, you now have a decent option in a open source project.

Re:How the fuck are you sure WebExtensions is safe

[billyswong]

Anyone mod parent up? An extension framework that can sandbox extension to be 100% safe is a framework that can do nothing useful. Babysitting always fail at the end. We can only make it permission-segmented enough and hope the users understand what such and such permissions imply.

Re:How the fuck are you sure WebExtensions is safe

Babysitting is basically Firefox's MO. There's a bunch of stuff you now can't do because idiot users can't be trusted. Meanwhile, people who actually know how to use their computers have their hands tied.

Considering how well mine works EVERYWHERE?

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

(APK's) work, I've flat out said it's good by BronsCon

I've tried his hosts file generating software. It works by bmo

APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

I like your host file system by Karmashock

(See subject)

* It's recommended/hosted by Malwarebytes' hpHosts!

APK

P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

Re:Considering how well mine works EVERYWHERE?

[xOneca]

And how does hosts file block data: URIs, if there's no host to resolve?

Stopping domain/hostname sources does... apk

Stopping domain/hostname sources stops the delivery occurring (in email & on the web etc. where MOST threats come from (like 99% use host-domain names)).

* To answer your question? Then, there's LITTLE to NO THREAT & if a threat uses IP addresses (rare since that's VERY EASY for ICANN/IANA (whatever 'authoritative agency') & DNS level blocking + FIREWALL rulesets (vs. rarely used IP addresses - though I do see more malware using IP since LOADS of folks use hosts to blockout host-domains that are threats (DNS filtering like OpenDNS does the rest too)) - I pay attention to this data for over 20++ yrs. now & ANY security researcher WILL bear it out as truth/accurate/fact.

APK

P.S.=> Lastly - Did you REALLY think I wouldn't see this with you posting DAYS later? Please... apk

Re:Stopping domain/hostname sources does... apk

[xOneca]

I was not refering to using IPs, but that data: URIs don't use any networking at all, so no hosts involvement.

P.S. I am happy you saw and answered my reply.

Addons=inferior/inefficient/faulty vs. hosts

Hosts protect when addons can't (or as well):

Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.

AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/

UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/

Hosts~6mb

Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

NoScript tag parses. Hosts block script prior to it!

No 1 addon does as much.

Stacked addons slowup.

ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/ & http://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/

APK

P.S.=> Resource COST of URI based blockers = HUGE & they don't do a FRACTION of what hosts do! apk