Primary eng (and PM) emails
Eng: mea...@chromium.org
Summary
We intend to block web pages from loading data: URLs in the top frame using <A> tags, window.open, window.location and similar mechanisms.
Motivation
data: URLs are generally a source of confusion for users. Because of their unfamiliarity and ability to encode arbitrary untrusted content in a URL, they are widely being used in spoofing and phishing attacks. Another problem is that they can be passed along without a backing page that runs JavaScript (e.g. a data URL can be sent via email). For that reason, we intend to block top-frame navigations to data URLs.
We are considering two alternative implementations:
Alternative 1:
Block only content initiated top-frame navigations to data URLs, while still allowing direct navigations to them. Similar measures are already in place for other schemes such as “chrome:”, “chrome-devtools:” and more recently, “view-source:”.
In practice, these will be blocked:
Navigations when the user clicks on links in the form of <A HREF=”data:…”>
window.open(“data:…”)
window.location = “data:…”
Meta redirects
The following will still be allowed:
User navigating to the URL by typing or pasting it in the omnibox
Downloads from these protocols:
Via non-browser-handled MIME types
Via <A download>
Via “Save link as”
Alternative 2:
Block all top-frame navigations to data URLs. This only differs from (1) in that it will additionally block direct navigations (“User navigating to the URL by typing or pasting it in the omnibox”).
In both cases, subresources with data URLs (e.g. <img src=”data:...”>, <iframe src=”data:...”>) will be allowed.
Pros of Approach 1:
Lower risk of breakage
Cons of Approach 2:
Might be confusing to some users ("why does it work when I type the address but not when I click the link?")
We might end up playing whack-a-mole with edge cases where we don't properly block the URLs
Pros of Approach 2:
Straightforward approach, consistent with IE/Edge behavior.
Might be simpler to implement.
Cons of Approach 2:
Higher risk of breakage
Compatibility Risk
IE and Edge already block all top-frame navigations to data URLs. Firefox and Safari allow them.
If we implement (2), Chrome’s behavior will align with IE/Edge after this change.
The blocking will be similar to how chrome:// URLs are handled:
For same page navigations, clicking the link won’t do anything, and a message will be displayed in the console.
For navigations in other tabs or popups, the page will navigate to about:blank instead.
No event handlers will be triggered.
Alternative implementation suggestion for web developers
The main use case for navigating to data URLs in the top frame is generating files (HTML, PDF, images etc.) on the fly and displaying them to the user.
For that use case, these alternatives exist:
- Generate the file on the backend and send it to the user over http/https.
- Initiate a download instead of displaying the URL.
- If the contents of the URL is trusted, iframe the URL so that the omnibox displays the site's URL.
Usage information
According to latest Stable Channel metrics over the last 28 days in January 2017, data URLs are 0.05% of all top-frame navigations among all platforms, and 0.01% of all navigations on Android.
OWP launch tracking bug
OWP tracking bug: https://crbug.com/684011
Discussion: https://crbug.com/594215
Entry on the feature dashboard
https://www.chromestatus.com/feature/5669602927312896
Requesting approval to remove too?
Yes, requesting approval to block top-frame navigations to data URLs.
We are considering two alternative implementations:
Alternative 1:
Block only content initiated top-frame navigations to data URLs, while still allowing direct navigations to them. Similar measures are already in place for other schemes such as “chrome:”, “chrome-devtools:” and more recently, “view-source:”.
Alternative 2:
Block all top-frame navigations to data URLs. This only differs from (1) in that it will additionally block direct navigations (“User navigating to the URL by typing or pasting it in the omnibox”).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
I can sympathize with the risk it entails
--
lgtm2
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Maybe the way to go is to not have this restriction for webview?
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
As others have mentioned, this looks like a fairly breaking change for various approaches to testing. For example, Intern ( http://theintern.github.io/intern/ ) uses top-level data URLs approach within its Leadfoot ( https://github.com/theintern/leadfoot ) library to run a series of feature tests using WebDriver, prior to running tests. This is to prevent user tests from triggering known WebDriver defects. I don't see either proposed alternative working in this scenario, since it's in the context of an automated testing environment.
--
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To clarify, I'm going to proceed with Approach #1 (only blocking content initiated navigations). The feedback from this thread indicates that full blockage will be too disruptive and may break legitimate use cases.> In the future we should probably have design discussions before the intent to deprecate phase. Having multiple ideas, one very extreme and one less so in the same intent makes this discussion hard to follow.We had a separate discussion before sending this intent, and listing both approaches was a decision from that discussion.Rick, Jochen, Philip: Could you please clarify that you are LGTM'ing Approach #1?> From there users can right click the element and choose "Open in a new tab" or "download" and this would break that.Downloads shouldn't be blocked in either case. In contrast, "Open in a new tab" will be broken in both cases to be consistent with the blocking of other URLs such as chrome://, view-source:// etc ("Open in a new tab/window" doesn't work with these URLs). That is, unless we make an exception for data URLs.
On Feb 6, 2017 1:51 PM, "Mustafa Emre Acer" <mea...@chromium.org> wrote:To clarify, I'm going to proceed with Approach #1 (only blocking content initiated navigations). The feedback from this thread indicates that full blockage will be too disruptive and may break legitimate use cases.> In the future we should probably have design discussions before the intent to deprecate phase. Having multiple ideas, one very extreme and one less so in the same intent makes this discussion hard to follow.We had a separate discussion before sending this intent, and listing both approaches was a decision from that discussion.Rick, Jochen, Philip: Could you please clarify that you are LGTM'ing Approach #1?> From there users can right click the element and choose "Open in a new tab" or "download" and this would break that.Downloads shouldn't be blocked in either case. In contrast, "Open in a new tab" will be broken in both cases to be consistent with the blocking of other URLs such as chrome://, view-source:// etc ("Open in a new tab/window" doesn't work with these URLs). That is, unless we make an exception for data URLs.That seems like a pretty serious breakage. A user choosing "Open in tab" on an image with a data URL src is very reasonable for an offline image editor app or photo galleries. For example Google image search even used data urls for thumbnails at one point.I don't see why choosing an option like that from a context menu (or dragging the image into the tab strip) would be different from a user pasting the URL into the omnibox.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
OK, as long as we're going with approach #1 this probably is okay for WebView, but since we don't have metrics (or a large dev/beta population) we aren't likely to find out if this breaks a lot of WebView apps until after it ships to stable - we'll have to keep an eye on incoming bug reports for any developers/users reporting issues here.