Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol.

The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document.

Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request.

This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.

You don't have to look too far for websites that use data:image/png;base64 raw streams to embed images inside HTML or CSS files instead of loading resources via "http://domain.com/..." HTTP requests.

< img src="data:image/png;base64,iVBORw0KGgoAAA
ANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4
//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU
5ErkJggg==" alt="Red dot" / >

Data URIs are very popular with phishers, tech support scammers

But somewhere in the late 2000s, security researchers realized that data URIs could also be abused for phishing and XSS (cross-site scripting) attacks, a technique that was later perfected and better explained in 2012 by a researcher from the University of Oslo in Norway.

Since then, data URI-based phishing has become commonplace, with several phishing campaigns utilizing this tactic being reported almost every year [1, 2, 3, 4], and recently, even incorporated in tech support scams.

The most abused cases are "data:text/html;base64" and "data:application/x-javascript;base64" URIs, which provide a way to embed malicious HTML and JavaScript code inside legitimate sites.

Browsers start blocking data URIs for navigation purposes

These data URIs can also be loaded inside the browser navigation bar to render the file directly, and then use additional malicious code to hide the real URL.

A URL scheme that was once developed for "embedding files in other files" became a "navigation method" in modern browsers.

Browsers like Google Chrome and Microsoft Edge saw the abuse and acted by moving in to block the loading of data URIs inside the URL navigation bar. Now, Mozilla is doing the same for Firefox.

Firefox joins Chrome and Edge in blocking navigational data URIs

A Mozilla engineers has now pointed Bleeping Computer to a series of entries on the Foundation's bug tracker where Firefox developers have been working to harden the browser against the incorrect usage of data URIs, similar to what Chrome and Edge have already implemented.

"We only want to block top-level data URI navigations which are mostly used for phishing," said Christoph Kerschbaumer, one of the Mozilla engineers that have worked on this new security feature. "I don't see any actual use case for those navigations (besides actual phishing attempts)."

By Firefox 58 Mozilla engineers plan to roll out a series of security features that will prevent the rendering of dangerous HTML, JS, and SVG data URIs in certain scenarios:

⨠    A data URL link on a page is clicked manually or programmatically
⨠    A page tries to load a data URL via JavaScript functions such as location.href, location.assign() or location.replace()
⨠    A page tries to load a data URL in a new tab with the window.open() JavaScript function
⨠    A frame's inner content tries to load a data URL in the top level window or in a new tab

Data URIs that render non-SVG images, PDF, JSON and plain text files will not be affected, as they cannot be used for phishing attacks.

In addition, data URIs for HTML, JS, or SVG files will still render in certain not-dangerous conditions, such as:

⨠    A user manually types a data URL in the Address Bar to tries to load the content
⨠    A page tries to load a data URL in a < frame > or < iframe >
⨠    A page uses a data URL for an image or other assets
⨠    A page triggers a data file download

Data URI blocking arriving in Firefox 58

Mozilla has already started rolling out the data URI blocking mechanisms since Firefox 56, but they are officially scheduled to go live for all users in Firefox 58.

Data URI blocking is already active in Firefox Nightly and Developer edition. The feature is not active in the recently released Firefox 57.

Users can enable data URI blocking in Firefox 56 and 57 by typing "about:config" in the URL bar and accessing Firefox's hidden configuration panel.

Here, they must search for "security.data_uri.block_toplevel_data_uri_navigations" and double-click to enable the feature in Firefox right now.

If all is successful, when you click on links that point to data URIs, the link will refuse to load, similar to the GIF below.

Firefox blocking data URIs

Article updated on November 28 after Mozilla pushed this feature from Firefox 59 to Firefox 58.

Related Articles:

Mozilla Has Started Gradually Enabling TLS 1.3 in Firefox

Mozilla to Remove Legacy Firefox Add-Ons From Add-On Portal in Early October

Firefox Add-On With 220,000+ Installs Caught Collecting Users' Browsing History

Mozilla Is Working on a Chrome-Like "Site Isolation" Feature for Firefox

Mozilla to Remove Support for Built-In Feed Reader From Firefox