> Well, from a security perspective I'm not quite sure I see what the threat model is where blocking this is super useful. In most scenarios where an attacker could launch Firefox with an arbitrary commandline argument, they could provide a file or https URL with the potentially harmful content anyway, presumably?
The problem with data: urls is largely because they were used in spoofing attacks, not because the content itself is any more dangerous than any other web page. Those same spoofing attacks can be conducted from other communication apps like mail and chat so we do want to block them from there.
The command-line itself is not dangerous, except that we can't always tell when the link has come from a command line in a shell or from another app via the OS "default browser" handling. We do have an extra argument on Windows that lets us know, but we don't have an equivalent on Mac or Linux. Could we add another argument, like `-data` that the OS handler won't use and that we could interpret as "Yes, I am intentionally using a data url"?
Bug 1892289 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> Well, from a security perspective I'm not quite sure I see what the threat model is where blocking this is super useful. In most scenarios where an attacker could launch Firefox with an arbitrary commandline argument, they could provide a file or https URL with the potentially harmful content anyway, presumably?
The problem with data: urls is largely because they were used in spoofing attacks, not because the content itself is any more dangerous than any other web page. We do NOT block data urls in an iframe (where user's can't see the URL) which shows this isn't a security concern about the content. Those same spoofing attacks can be conducted from other communication apps like mail and chat so we do want to block them from there.
The command-line itself is not dangerous, except that we can't always tell when the link has come from a command line in a shell or from another app via the OS "default browser" handling. We do have an extra argument on Windows that lets us know, but we don't have an equivalent on Mac or Linux. Could we add another argument, like `-data` that the OS handler won't use and that we could interpret as "Yes, I am intentionally using a data url"?