Mozilla plans to block web pages from navigating the top-level window to a data URL in the upcoming Firefox 58 Stable version.
The new stable version of the web browser will be released on January 23, 2018 according to the Firefox release schedule.
The change has found its way in development versions of the Firefox web browser such as Firefox Nightly already.
Christoph Kerschbaume, Content Security Tech Lead at Mozilla, notes on the official Mozilla Security blog that data URLs are used by malicious actors to trick users.
However, most end users are not aware of the concept of a data URL which can contain a legitimate address string making the end user believe they are browsing a particular web page. In reality, attacker provided data URLs can show disguised content tricking end users into providing their credentials.
Mozilla will block web pages from navigating the top-level window to data URLs to protect Firefox users from phishing attacks that abuse data URLs in Firefox 58.
The organization distinguishes between data URL scenarios that are blocked in Firefox 58, and scenarios that are not.
The following cases are blocked in Firefox 58 and newer versions of the web browser:
- Navigation to a top-level data URL using: window.open, window.location or links.
- Redirections to a new top-level data URL using 302 redirects, meta refresh redirects.
- External programs that try to open data URLs in the web browser.
Firefox 58 won't block the following data loading scenarios:
- When the user enters or pastes data: into the address bar.
- When plain text data files are opened.
- When data:image is opened in top-level windows, unless it is data:image/svg+xml.
- When data:application/pdf or data:application/json are opened.
- When data is downloaded.
Firefox displays a log entry in the console whenever a data request is blocked in the browser. You can load the Console with the shortcut Ctrl-Shift-K, or by tapping on the F12 key, and switching to Console when the Developer Tools interface opens in the browser.
Google Chrome and other Chromium-based web browsers block access to data URLs already as well.