Hi Christoph,
On 09/15/2017 01:08 PM, Christoph Kerschbaumer wrote:
Hey Everyone,
we plan to prevent web pages from navigating the top-level window to a data:
URI. Historically data: URIs caused confusion for end users; mostly because end
users are not aware that data: URIs can encode untrusted content into a URL.
The fact that data: URIs can execute JavaScript makes them popular amongst
scammers for spoofing and phishing attacks.
Fantastic!
To mitigate that risk we installed a pref
(“security.data_uri.block_toplevel_data_uri_navigations”) which blocks all
top-level navigations to a data: URI. We plan to flip that pref in Nightly
using “ifdef EARLY_BETA_OR_EARLIER”. In a few weeks we will evaluate whether we
can flip on that change in behavior for FF57 or whether we are going to wait to
ship that change in behavior till FF58.
I'm worries about the "FF57" part of this paragraph. There is almost no
time left to test this kind of change on Nightly so this will probably
get tested for the first few betas of 57. Even though the 0.01% number
may look too low, is that number enough to give us confidence to do this
so late in the 57 cycle, given the current focus in avoiding to
introduce risk into this release? Also have we looked more into what
the 0.01% number of navigations which would have been blocked are coming
from? For example, hypothetically speaking, do they mostly come from
external applications?
Thanks,
Ehsan
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
