im tryng to display images inline in an html email with caja, and the security policy seems to be stripping out all the encoded data.
data: URLs are not supported at all.
We'd be interested in someone contributing the feature.
It would involve modifying the uriRewrite function in domado.js to, in the particular case of data: URLs, allow them if they are in an <img> context (which is known to not execute content) or perhaps also if they are of a safe type (such as an image type), after verifying that supported browsers don't content-sniff data: URLs (I don't know if they do).
i found this issue which is related, but its form 5 years ago, so wondered if this is now supported?