Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.

What?

[DontBeAMoran]

Why do they always need to re-invent the wheel? Why can't they use RFC 3514 like everybody else?

Re:Anyway

[DontBeAMoran]

I think they are blocking data URIs in the URL?

That's what I understand when I read "block navigational data URIs".

I don't see how embedding a base64-encoded string of a PNG image inside a CSS file could be used for phishing.

A Better Headline

[darkain]

A better headline is actually a paragraph header half way through TFA:

"Firefox joins Chrome and Edge in blocking navigational data URIs"

So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

Re:I think that will affect slashdot

[green1]

Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

Re:Anyway

[LucasBC]

They won't be blocking encoded strings for PNG's or other "safe" assets, only encoded strings in top-level data URI navigation (e.g. the address bar, browser history, etc.) and some restricted uses of embedded content such as HTML and JavaScript.

Re:More Mozilla spam

[theweatherelectric]

The Beast adopted new raiment and studied the ways of Time and Space and Light and the Flow of energy through the Universe. From its studies, the Beast fashioned new structures from oxidised metal and proclaimed their glories. And the Beast’s followers rejoiced, finding renewed purpose in these teachings.

-- from The Book of Mozilla, 11:14

Re:Anyway

[Unordained]

There are legitimate uses for data: URI in the navigational bar, too. I have one that I'll have to recode now, that was the result of having to work around the horrible lack of useful WebDAV support in modern browsers. Popping a new page up in a separate tab (to not mess up a single-page-application) to then do a redirect, etc. was the solution I had to come to, after Firefox killed plugins that don't meet their security requirements (which we don't for our in-house extension, because it uses the Registry and launches apps, to try to get around the same problem of poor WebDAV support -- none of that will get past today's plugin-signing process, so the extension has to die.) Data URI were a quick and easy solution for serving up temporary content in a new tab, which I'll need to replace with some kind of server-hosted page ... not at all impossible, but dang it, I had it working and it was simpler. Phishers ruin it for the rest of us.

Re:More Mozilla spam

[Aighearach]

They're spending a lot of money to try to counteract the negative press over getting rid of extensions.