Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Firefox Privacy The Internet

Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature (bleepingcomputer.com) 70

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.
This discussion has been archived. No new comments can be posted.

Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature

Comments Filter:
  • What? (Score:5, Funny)

    by DontBeAMoran ( 4843879 ) on Thursday November 16, 2017 @04:41PM (#55565411)

    Why do they always need to re-invent the wheel? Why can't they use RFC 3514 like everybody else?

    • by Anonymous Coward

      And why is there so much Mozilla spam on here lately? This is not MMN: the Mozilla News Network.

      • The Beast adopted new raiment and studied the ways of Time and Space and Light and the Flow of energy through the Universe. From its studies, the Beast fashioned new structures from oxidised metal and proclaimed their glories. And the Beast’s followers rejoiced, finding renewed purpose in these teachings.

        -- from The Book of Mozilla, 11:14
      • They're spending a lot of money to try to counteract the negative press over getting rid of extensions.

        • What negative press? The only whining I've seen has come from hopeless shut-in neckbeards who cling on to outdated and obsolete extensions that were last updated 5+ years ago, yet expect them to still work perfectly in a completely re-written browser.

          • Oh, that's interesting. So, you only heard the opinions bouncing off the basement walls? Because the extensions people are talking about are very popular, actively-maintained ones. And huge numbers of people already switched browsers. It is a thing.

            Probably nobody ever stopped using KDE or Gnome when they made large unpopular changes, right? Complaints don't matter, because .... ? Because why? Because we don't have any power to choose, or ... ?

            • Because the extensions people are talking about are very popular, actively-maintained ones

              No, not really. NoScript is probably the only one that really fits that description, and that's coming for FF57 by the end of this week.

              All of the others are niche, at best. You may think they're hugely popular, but that's because you're in the tiny sphere of super hardcore nerds who insist on very specific niche extensions, because they think it would be "painful" to do without them. The outcry has been incredibly minor on the grand scale of things, while the praise has been almost completely unanimous.

              • Right, right, it is the same "grand scale of things" on which everybody was just going to keep using IE because it had so much market share.

                If the goal is to be dismissive of people with complaints, that is the exact same goal as wanting people to switch browsers. And it does indeed seem achievable.

                • No one is being dismissive of people with genuine complaints, only the sadface whiners.

                  • Can you comprehend that that is a circular argument, and therefore stupid and idiotic? As long as you know what choice you're making, I don't care.

                    I don't think I've seen a single complaint that involved caring about what you think, for example. So perhaps we can at least agree that your sociopathic nonsense is off topic.

                    • A piece of software no longer caters to your 10 years out of date usage pattern. Oh cry me a river.

                    • Notice in the complaints, nobody is claiming that there complaint is dependent on your feelies. I don't care what your feelies are.

                      Why do you think I would find your feelies relevant to my complaint? That's the part you should focus on. Why do you have an emotional attachment to my complaint? My complaint has no emotional attachment to you! That's probably why I shared my opinion, instead of asking you what opinion I should have. Complaining that my opinion exists is just sad; form your own opinion, and hav

                    • s/there/their/

                    • It's kinda funny how you claim you are completely neutral in this, but your post betrays the fact that you're deeply emotionally affected by something as silly as a web browser that doesn't cater 100% to your highly specific use case.

                      Get a life etc.

                    • Nope. My post only shows a reaction to your words. Actually, it is hilarious that you can't comprehend that difference.

                      I'd explain it, but... yeah. Not much chance of utility.

      • by lordlod ( 458156 )

        Worse, it is Bleeping Computer reposting a Mozilla blog entry and submitting it to Slashdot.

        The third example of this I have seen in the last week or so.

  • So...they are blocking embedded files now?

    Web sites like CNN are excruciatingly slow because they are selling your ad space off in real time to a dozen different agencies.

    • I think they are blocking data URIs in the URL?

      That's what I understand when I read "block navigational data URIs".

      I don't see how embedding a base64-encoded string of a PNG image inside a CSS file could be used for phishing.

      • Re: (Score:3, Informative)

        by LucasBC ( 1138637 )
        They won't be blocking encoded strings for PNG's or other "safe" assets, only encoded strings in top-level data URI navigation (e.g. the address bar, browser history, etc.) and some restricted uses of embedded content such as HTML and JavaScript.
      • by Anonymous Coward

        They are blocking it in the address bar, not in the page contents (where they should be safe).

        This picture [easysol.net] is an example of a full html file embedded in the address bar, you could use it to build a fake login page that looks real and send data wherever you wanted, and gets past many filters because it's encoded.

        Here is a more advanced attack [myonlinesecurity.co.uk] that also uses navigation plus embedded javascript in the link to take you to the legitimate site and send your data elsewhere.

        • There are legitimate uses for data: URI in the navigational bar, too. I have one that I'll have to recode now, that was the result of having to work around the horrible lack of useful WebDAV support in modern browsers. Popping a new page up in a separate tab (to not mess up a single-page-application) to then do a redirect, etc. was the solution I had to come to, after Firefox killed plugins that don't meet their security requirements (which we don't for our in-house extension, because it uses the Registry a

          • WebDAV, is he still around?!

            • Yes, WebDAV is still around. It's not a bad spec, really useful in corporate environments.

              I'm seeing complaints about Chrome's disabling of data: in the navigation bar having broken jsPDF, and that makes sense -- if they try to translate a PDF file into HTML client-side and display the temporary result in a new tab, it'll fail. The same would be true if you were generating SVG or PDF content on the fly and pushing it into a new tab for display (graphing libraries, report-generators, etc. that operate client

              • If you're opening it in a new tab, there is no good reason for it; if you're embedding it in a document you're already rendering, there is a potential performance benefit. But if you're loading it in a new tab, the user isn't going to see any benefit; the only thing they gain is that they don't have to choose between using a temp file or using memcache or whatever!

                That's easily enough to distract me from teasing poor DAV.

                The sad part is, instead of fixing their crap people are just going to use extra JS and

    • by Anonymous Coward
      They are only blocking data URLs in the address bar that use "data:text/html,base64" and such.... an obvious phishing trick used to bypass corporate phishing solutions. Trust me. It's a good thing! Data URLs inside pages or CSS files will continue to work.
      • by Anonymous Coward

        Not even in the address bar, even. Just preventing a link to a Data URI like that from navigating to it. You can still copy-paste those links into the URL bar if you really wanna, like a good moron (or wiser dev trying to test stuff). I fully expect that to go away too eventually, mind you.

  • I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

    • by green1 ( 322787 ) on Thursday November 16, 2017 @05:34PM (#55565799)

      Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

      • by mjwx ( 966435 )

        Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.

        ./ is a bad example. Despite the number of hands its been through in recent years advertising has remained pretty unintrusive.

        The sites I hate are the ones that have a popover demanding you disable your adblock so they can bombard you with VIDEO AD AT FULL VOLUME, punch the monkey, malware delivered by advertising, tracking bots, pop ups, pop overs, pop unders, pop reach-arounds, advertising interstitials and one item per page so you have to navigate through 30 pages of ads to get one, maybe two pages of

    • I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.

      Why don't you just click the button to disable slashdot ads? I think you get it when you have enough karma.

  • Browsers like Google Chrome and Microsoft Edge saw the abuse and acted by moving in to block the loading of data URIs inside the URL navigation bar. Now, Mozilla is doing the same for Firefox.

    Nothing new

    Please keep moving. Nothing to see here.

  • A Better Headline (Score:5, Informative)

    by darkain ( 749283 ) on Thursday November 16, 2017 @05:29PM (#55565735) Homepage

    A better headline is actually a paragraph header half way through TFA:

    "Firefox joins Chrome and Edge in blocking navigational data URIs"

    So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

    • by jez9999 ( 618189 )

      So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.

      Yeah, I forgot that the whole reason you develop a browser is to make it exactly the same as all competing browsers. There was me thinking it was about providing users with choice. What a silly notion.

  • The more I realize that I can just import my bookmarks into Chrome and treat FF like I did with the netscape browser so many years ago. Remove the app and forget about it.

    The major thing that makes me want to ditch FF is that the extensions and addons in chrome won't just stop working all at once like it will with 57.

    • Mozilla has been stating loudly for YEARS that they would be moving on from the old add-ons. Here's an official post from them in August 2015 about beginning to move in the direction of web extensions: https://blog.mozilla.org/addon... [mozilla.org] For a browser to compete, it has to be fast, and it has to be safe. Web Extensions tick box #2.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...