Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature (bleepingcomputer.com)

Posted by msmash on from the enhanced-security dept.

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.

42 of 70 comments (clear)

  1. What? by DontBeAMoran · · Score: 4, Funny

    Why do they always need to re-invent the wheel? Why can't they use RFC 3514 like everybody else?

    --
    #DeleteFacebook
  2. Anyway by Impy+the+Impiuos+Imp · · Score: 1

    So...they are blocking embedded files now?

    Web sites like CNN are excruciatingly slow because they are selling your ad space off in real time to a dozen different agencies.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Anyway by DontBeAMoran · · Score: 2

      I think they are blocking data URIs in the URL?

      That's what I understand when I read "block navigational data URIs".

      I don't see how embedding a base64-encoded string of a PNG image inside a CSS file could be used for phishing.

      --
      #DeleteFacebook
    2. Re:Anyway by Anonymous Coward · · Score: 1

      They are only blocking data URLs in the address bar that use "data:text/html,base64" and such.... an obvious phishing trick used to bypass corporate phishing solutions. Trust me. It's a good thing! Data URLs inside pages or CSS files will continue to work.

    3. Re:Anyway by LucasBC · · Score: 3, Informative

      They won't be blocking encoded strings for PNG's or other "safe" assets, only encoded strings in top-level data URI navigation (e.g. the address bar, browser history, etc.) and some restricted uses of embedded content such as HTML and JavaScript.

    4. Re:Anyway by Anonymous Coward · · Score: 1

      They are blocking it in the address bar, not in the page contents (where they should be safe).

      This picture is an example of a full html file embedded in the address bar, you could use it to build a fake login page that looks real and send data wherever you wanted, and gets past many filters because it's encoded.

      Here is a more advanced attack that also uses navigation plus embedded javascript in the link to take you to the legitimate site and send your data elsewhere.

    5. Re:Anyway by Anonymous Coward · · Score: 1

      Not even in the address bar, even. Just preventing a link to a Data URI like that from navigating to it. You can still copy-paste those links into the URL bar if you really wanna, like a good moron (or wiser dev trying to test stuff). I fully expect that to go away too eventually, mind you.

    6. Re:Anyway by Unordained · · Score: 2

      There are legitimate uses for data: URI in the navigational bar, too. I have one that I'll have to recode now, that was the result of having to work around the horrible lack of useful WebDAV support in modern browsers. Popping a new page up in a separate tab (to not mess up a single-page-application) to then do a redirect, etc. was the solution I had to come to, after Firefox killed plugins that don't meet their security requirements (which we don't for our in-house extension, because it uses the Registry and launches apps, to try to get around the same problem of poor WebDAV support -- none of that will get past today's plugin-signing process, so the extension has to die.) Data URI were a quick and easy solution for serving up temporary content in a new tab, which I'll need to replace with some kind of server-hosted page ... not at all impossible, but dang it, I had it working and it was simpler. Phishers ruin it for the rest of us.

    7. Re:Anyway by Aighearach · · Score: 1

      WebDAV, is he still around?!

    8. Re:Anyway by Unordained · · Score: 1

      Yes, WebDAV is still around. It's not a bad spec, really useful in corporate environments.

      I'm seeing complaints about Chrome's disabling of data: in the navigation bar having broken jsPDF, and that makes sense -- if they try to translate a PDF file into HTML client-side and display the temporary result in a new tab, it'll fail. The same would be true if you were generating SVG or PDF content on the fly and pushing it into a new tab for display (graphing libraries, report-generators, etc. that operate client-side rather than server-side).
      It does look like they kept the functionality working as long as it's in an IFRAME, but those can get ugly to work with. At least we won't be the only ones scrambling to create workarounds...

    9. Re:Anyway by Aighearach · · Score: 1

      If you're opening it in a new tab, there is no good reason for it; if you're embedding it in a document you're already rendering, there is a potential performance benefit. But if you're loading it in a new tab, the user isn't going to see any benefit; the only thing they gain is that they don't have to choose between using a temp file or using memcache or whatever!

      That's easily enough to distract me from teasing poor DAV.

      The sad part is, instead of fixing their crap people are just going to use extra JS and still serialize it into the URL.

      IMO the problem isn't having the data in the URI, it is having the data in the URL! If it is in the URI or not, who cares? Is it stored somewhere inside the stuff in the location bar of the browser, instead of on a server? That seems the real problem.

  3. More Mozilla spam by Anonymous Coward · · Score: 1

    And why is there so much Mozilla spam on here lately? This is not MMN: the Mozilla News Network.

    1. Re:More Mozilla spam by theweatherelectric · · Score: 2

      The Beast adopted new raiment and studied the ways of Time and Space and Light and the Flow of energy through the Universe. From its studies, the Beast fashioned new structures from oxidised metal and proclaimed their glories. And the Beast’s followers rejoiced, finding renewed purpose in these teachings.

      -- from The Book of Mozilla, 11:14

    2. Re:More Mozilla spam by Aighearach · · Score: 2

      They're spending a lot of money to try to counteract the negative press over getting rid of extensions.

    3. Re:More Mozilla spam by lordlod · · Score: 1

      Worse, it is Bleeping Computer reposting a Mozilla blog entry and submitting it to Slashdot.

      The third example of this I have seen in the last week or so.

    4. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      What negative press? The only whining I've seen has come from hopeless shut-in neckbeards who cling on to outdated and obsolete extensions that were last updated 5+ years ago, yet expect them to still work perfectly in a completely re-written browser.

      --
      Eat the rich.
    5. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      Set "extensions.pocket.enabled" to false in about:config. Voila.

      --
      Eat the rich.
    6. Re:More Mozilla spam by Aighearach · · Score: 1

      Oh, that's interesting. So, you only heard the opinions bouncing off the basement walls? Because the extensions people are talking about are very popular, actively-maintained ones. And huge numbers of people already switched browsers. It is a thing.

      Probably nobody ever stopped using KDE or Gnome when they made large unpopular changes, right? Complaints don't matter, because .... ? Because why? Because we don't have any power to choose, or ... ?

    7. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      Because the extensions people are talking about are very popular, actively-maintained ones

      No, not really. NoScript is probably the only one that really fits that description, and that's coming for FF57 by the end of this week.

      All of the others are niche, at best. You may think they're hugely popular, but that's because you're in the tiny sphere of super hardcore nerds who insist on very specific niche extensions, because they think it would be "painful" to do without them. The outcry has been incredibly minor on the grand scale of things, while the praise has been almost completely unanimous.

      --
      Eat the rich.
    8. Re:More Mozilla spam by Aighearach · · Score: 1

      Right, right, it is the same "grand scale of things" on which everybody was just going to keep using IE because it had so much market share.

      If the goal is to be dismissive of people with complaints, that is the exact same goal as wanting people to switch browsers. And it does indeed seem achievable.

    9. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      No one is being dismissive of people with genuine complaints, only the sadface whiners.

      --
      Eat the rich.
    10. Re:More Mozilla spam by Aighearach · · Score: 1

      Can you comprehend that that is a circular argument, and therefore stupid and idiotic? As long as you know what choice you're making, I don't care.

      I don't think I've seen a single complaint that involved caring about what you think, for example. So perhaps we can at least agree that your sociopathic nonsense is off topic.

    11. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      A piece of software no longer caters to your 10 years out of date usage pattern. Oh cry me a river.

      --
      Eat the rich.
    12. Re:More Mozilla spam by Aighearach · · Score: 1

      Notice in the complaints, nobody is claiming that there complaint is dependent on your feelies. I don't care what your feelies are.

      Why do you think I would find your feelies relevant to my complaint? That's the part you should focus on. Why do you have an emotional attachment to my complaint? My complaint has no emotional attachment to you! That's probably why I shared my opinion, instead of asking you what opinion I should have. Complaining that my opinion exists is just sad; form your own opinion, and have it exist separately from mine, since you don't agree with mine! It is really that easy.

      If you learned to think for yourself, you might be able to understand that many others are already thinking for themselves and don't really care about what negative feelies you had when you heard their opinion. It isn't an idea or a counterpoint, it is just pathetic childishness.

    13. Re:More Mozilla spam by Aighearach · · Score: 1

      s/there/their/

    14. Re:More Mozilla spam by KozmoStevnNaut · · Score: 1

      It's kinda funny how you claim you are completely neutral in this, but your post betrays the fact that you're deeply emotionally affected by something as silly as a web browser that doesn't cater 100% to your highly specific use case.

      Get a life etc.

      --
      Eat the rich.
    15. Re:More Mozilla spam by Aighearach · · Score: 1

      Nope. My post only shows a reaction to your words. Actually, it is hilarious that you can't comprehend that difference.

      I'd explain it, but... yeah. Not much chance of utility.

  4. I think that will affect slashdot by HermMunster · · Score: 1

    I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

    --
    You can lead a man with reason but you can't make him think.
    1. Re:I think that will affect slashdot by green1 · · Score: 3, Interesting

      Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

    2. Re:I think that will affect slashdot by Carewolf · · Score: 1

      I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

      Why don't you just click the button to disable slashdot ads? I think you get it when you have enough karma.

    3. Re:I think that will affect slashdot by mjwx · · Score: 1

      Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

      ./ is a bad example. Despite the number of hands its been through in recent years advertising has remained pretty unintrusive.

      The sites I hate are the ones that have a popover demanding you disable your adblock so they can bombard you with VIDEO AD AT FULL VOLUME, punch the monkey, malware delivered by advertising, tracking bots, pop ups, pop overs, pop unders, pop reach-arounds, advertising interstitials and one item per page so you have to navigate through 30 pages of ads to get one, maybe two pages of content.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  5. Please keep moving... by 140Mandak262Jamuna · · Score: 1

    Browsers like Google Chrome and Microsoft Edge saw the abuse and acted by moving in to block the loading of data URIs inside the URL navigation bar. Now, Mozilla is doing the same for Firefox.

    Nothing new

    Please keep moving. Nothing to see here.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. A Better Headline by darkain · · Score: 4, Informative

    A better headline is actually a paragraph header half way through TFA:

    "Firefox joins Chrome and Edge in blocking navigational data URIs"

    So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

    1. Re:A Better Headline by jez9999 · · Score: 1

      So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

      Yeah, I forgot that the whole reason you develop a browser is to make it exactly the same as all competing browsers. There was me thinking it was about providing users with choice. What a silly notion.

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
  7. Re:Eat to the Beat! by Anonymous Coward · · Score: 1

    Were he actually touching her breasts, you'd not be able to see the shadows beneath his fingertips, genius.

  8. The more I hear about Firefox 57 by bobstreo · · Score: 1

    The more I realize that I can just import my bookmarks into Chrome and treat FF like I did with the netscape browser so many years ago. Remove the app and forget about it.

    The major thing that makes me want to ditch FF is that the extensions and addons in chrome won't just stop working all at once like it will with 57.

    1. Re:The more I hear about Firefox 57 by walllaby · · Score: 1

      Mozilla has been stating loudly for YEARS that they would be moving on from the old add-ons. Here's an official post from them in August 2015 about beginning to move in the direction of web extensions: https://blog.mozilla.org/addon... For a browser to compete, it has to be fast, and it has to be safe. Web Extensions tick box #2.

  9. Re:Hey retard by bobstreo · · Score: 1

    Why do you feel the need to tell us that?
    I personally found 57 to be the best thing ever, and none of my extensions broke because I was ready for this update 6 months ago. BUT you don't hear me yelling about it on a has-been tech forum.

    Anyway thanks for sharing, now fuck off to Chrome.

    Found the Mozilla developer in the thread.

  10. Re:Firefox is falling so far behind these days. by cas2000 · · Score: 1

    that makes perfect sense - if you want to view the content made by an advertising company it would be totally insane to do it on a browser made by another advertising company.

    better option: disable all DRM bullshit, boycott companies that depend upon DRM (and bribe it into web standards), and refuse to watch their programs.

    if you really must view videos made by such a company, there's always bit torrent.

  11. Re:How the fuck are you sure WebExtensions is safe by billyswong · · Score: 1

    Anyone mod parent up? An extension framework that can sandbox extension to be 100% safe is a framework that can do nothing useful. Babysitting always fail at the end. We can only make it permission-segmented enough and hope the users understand what such and such permissions imply.

  12. Re:Considering how well mine works EVERYWHERE? by xOneca · · Score: 1

    And how does hosts file block data: URIs, if there's no host to resolve?

  13. Re:Stopping domain/hostname sources does... apk by xOneca · · Score: 1
    I was not refering to using IPs, but that data: URIs don't use any networking at all, so no hosts involvement.

    P.S. I am happy you saw and answered my reply.