fireFox begins to block data URI's in a new Anti-Phising feature

in #firefox7 years ago

Mozilla has begun to implement a new feature to start blocking URI's in the navigation bar that abuse protocol. URI scheme was implemented in 1998 developers were looking for ways to embed files inside other files. They came up with URI scheme, this allows a developer to load a file represented as ASCII-encoded octet stream inside another document.

This URI scheme has been popular among the developing community. This allows them to embed text-based files & images inside HTML documents instead of sending them separately. Search engines began ranking sites higher that implemented this new standard.

Here is an example of websites that use data:image/png;base64 raw streams to embed images inside HTML or CSS files instead of loading resources via "HTTP://domain.com..." on HTTP requests:

< img src="data:image/png;base64,iVBORw0KGgoAAA
ANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4
//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU
5ErkJggg==" alt="Red dot" / >

Phishers love these Data URI's

Around the late 2000's URI's were being abused for phising and XSS attacks, phishers began to perfect their techniques around data URI's.

For the past incremental years these tactics have been prevalent the most abused cases use "data:text/html;base64" & "data:application/x-javaScript;base64" These popular techniques provide a way to embed malicious HTML & javaScrip code inside legit sites.

browsers taking action to block data URI's

These URI's can also be loaded inside the browser in the navigation bar to render the file directly; They then use malicious code to hide the URL.

The scheme that was used for embeding files in other files became the standard navigation method in our browsers.

FireFox joins the rest

Developers have been working pretty hard to enforce the browser against incorrect usage of the data URI's. When fireFox Mozilla 59 is released they hope to roll out new security features that will prevent the rendering of dangerous HTML, JS, and SVG data URI's.

Only URI's that render SVG are affected as other image formats cannot be affected.

#blocks #data #uri #phising
7 years ago in #firefox by
$0.00
    2 votes
    Reply 3
    Sort:  
  • Trending
    • [-]
     7 years ago 

    How is the new FF with script blocking ? 🤣

    [-]
     7 years ago 

    that was going to be my next test when I can get a chance to get in front of my computer again

    Coin Marketplace

    STEEM 0.20
    TRX 0.13
    JST 0.030
    BTC 65248.25
    ETH 3471.40
    USDT 1.00
    SBD 2.51