Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Christoph Kerschbaumer
Hey Ehsan, > On Sep 15, 2017, at 9:28 PM, Ehsan Akhgari wrote: > I'm worries about the "FF57" part of this paragraph. There is almost no time > left to test this kind of change on Nightly so this will probably get tested > for the first few betas of 57. Even though the 0.01% number may look t

Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Ehsan Akhgari
Hi Christoph, On 09/15/2017 01:08 PM, Christoph Kerschbaumer wrote: Hey Everyone, we plan to prevent web pages from navigating the top-level window to a data: URI. Historically data: URIs caused confusion for end users; mostly because end users are not aware that data: URIs can encode untrust

Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Michael Kelly
On 9/15/17 10:08 AM, Christoph Kerschbaumer wrote: > To mitigate that risk we installed a pref > (“security.data_uri.block_toplevel_data_uri_navigations”) which blocks all > top-level navigations to a data: URI. We plan to flip that pref in Nightly > using “ifdef EARLY_BETA_OR_EARLIER”. In a few

Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Alex Gaynor
You read my mind -- thanks! Alex On Fri, Sep 15, 2017 at 1:16 PM, Christoph Kerschbaumer wrote: > > On Sep 15, 2017, at 7:14 PM, Alex Gaynor wrote: > > Hi Christoph, > > Great stuff! > > Are external applications able to trigger loads of data:, e.g. a desktop > mail application, via the OS pro

Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Christoph Kerschbaumer
> On Sep 15, 2017, at 7:14 PM, Alex Gaynor wrote: > > Hi Christoph, > > Great stuff! > > Are external applications able to trigger loads of data:, e.g. a desktop mail > application, via the OS protocol handler facilities? Sorry I forgot to mention that explicitly. Since scammers mostly trick

Re: Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Alex Gaynor
Hi Christoph, Great stuff! Are external applications able to trigger loads of data:, e.g. a desktop mail application, via the OS protocol handler facilities? Alex On Fri, Sep 15, 2017 at 1:08 PM, Christoph Kerschbaumer wrote: > Hey Everyone, > > we plan to prevent web pages from navigating th

Intent to unship: Blocking Top-level Navigations to a data: URI

2017-09-15 Thread Christoph Kerschbaumer
Hey Everyone, we plan to prevent web pages from navigating the top-level window to a data: URI. Historically data: URIs caused confusion for end users; mostly because end users are not aware that data: URIs can encode untrusted content into a URL. The fact that data: URIs can execute JavaScript