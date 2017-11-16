Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature (bleepingcomputer.com) 40
Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.
So...they are blocking embedded files now?
Web sites like CNN are excruciatingly slow because they are selling your ad space off in real time to a dozen different agencies.
I think they are blocking data URIs in the URL?
That's what I understand when I read "block navigational data URIs".
I don't see how embedding a base64-encoded string of a PNG image inside a CSS file could be used for phishing.
They are blocking it in the address bar, not in the page contents (where they should be safe).
This picture [easysol.net] is an example of a full html file embedded in the address bar, you could use it to build a fake login page that looks real and send data wherever you wanted, and gets past many filters because it's encoded.
Here is a more advanced attack [myonlinesecurity.co.uk] that also uses navigation plus embedded javascript in the link to take you to the legitimate site and send your data elsewhere.
There are legitimate uses for data: URI in the navigational bar, too. I have one that I'll have to recode now, that was the result of having to work around the horrible lack of useful WebDAV support in modern browsers. Popping a new page up in a separate tab (to not mess up a single-page-application) to then do a redirect, etc. was the solution I had to come to, after Firefox killed plugins that don't meet their security requirements (which we don't for our in-house extension, because it uses the Registry a
WebDAV, is he still around?!
Not even in the address bar, even. Just preventing a link to a Data URI like that from navigating to it. You can still copy-paste those links into the URL bar if you really wanna, like a good moron (or wiser dev trying to test stuff). I fully expect that to go away too eventually, mind you.
I think that will affect slashdot (Score:2)
I believe slashdot uses that to embed ads so they can't be blocked. If you view page source on the main slashdot page you'll see what I mean. Of course I could be misunderstanding what Mozilla is saying and/or what slashdot is doing.
Re:I think that will affect slashdot (Score:4, Interesting)
Considering how well my ad blocker works on Slashdot (100%), I would say that this is either not the case, or is highly ineffective.
Please keep moving... (Score:2)
Browsers like Google Chrome and Microsoft Edge saw the abuse and acted by moving in to block the loading of data URIs inside the URL navigation bar. Now, Mozilla is doing the same for Firefox.
Nothing new
Please keep moving. Nothing to see here.
A Better Headline (Score:5, Informative)
A better headline is actually a paragraph header half way through TFA:
"Firefox joins Chrome and Edge in blocking navigational data URIs"
So basically Firefox is simply implementing what is already standard practice otherwise on competing browsers.
that makes perfect sense - if you want to view the content made by an advertising company it would be totally insane to do it on a browser made by another advertising company.
better option: disable all DRM bullshit, boycott companies that depend upon DRM (and bribe it into web standards), and refuse to watch their programs.
if you really must view videos made by such a company, there's always bit torrent.
The more I hear about Firefox 57 (Score:2)
The more I realize that I can just import my bookmarks into Chrome and treat FF like I did with the netscape browser so many years ago. Remove the app and forget about it.
The major thing that makes me want to ditch FF is that the extensions and addons in chrome won't just stop working all at once like it will with 57.
Why do you feel the need to tell us that?
I personally found 57 to be the best thing ever, and none of my extensions broke because I was ready for this update 6 months ago. BUT you don't hear me yelling about it on a has-been tech forum.
Anyway thanks for sharing, now fuck off to Chrome.
