Mozilla plans to block web pages from navigating the top-level window to a data URL in the upcoming Firefox 58 Stable version.
The new stable version of the web browser will be released on January 23, 2018 according to the Firefox release schedule.
The change has found its way in development versions of the Firefox web browser such as Firefox Nightly already.
Christoph Kerschbaume, Content Security Tech Lead at Mozilla, notes on the official Mozilla Security blog that data URLs are used by malicious actors to trick users.
However, most end users are not aware of the concept of a data URL which can contain a legitimate address string making the end user believe they are browsing a particular web page. In reality, attacker provided data URLs can show disguised content tricking end users into providing their credentials.
Mozilla will block web pages from navigating the top-level window to data URLs to protect Firefox users from phishing attacks that abuse data URLs in Firefox 58.
The organization distinguishes between data URL scenarios that are blocked in Firefox 58, and scenarios that are not.
The following cases are blocked in Firefox 58 and newer versions of the web browser:
Firefox 58 won't block the following data loading scenarios:
Firefox displays a log entry in the console whenever a data request is blocked in the browser. You can load the Console with the shortcut Ctrl-Shift-K, or by tapping on the F12 key, and switching to Console when the Developer Tools interface opens in the browser.
Google Chrome and other Chromium-based web browsers block access to data URLs already as well.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.