Open Bug 1895528 Opened 1 year ago Updated 1 year ago

Consider removing security.data_uri.block_toplevel_data_uri_navigations pref

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: gregp, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

It's been enabled by default for about 7 years now (bug 1401895). Ignoring tests, is this pref still necessary?

If we need to chunk this down we could remove the pref from StaticPrefs (and thus about:config) but use the dynamic pref service to check for a non-default value. That would keep the tests working, and data: navigations are extremely uncommon (because we block them by default!) so the slower lookup wouldn't add any performance trouble.

If we don't want to do that but want to completely remove the pref, we must carefully check all the tests that set the value to false rather than simply toss them. Some might be obsolete, but a lot are regression testing bugs in data: documents that we still want to test. Those could perhaps be rewritten to put the data: document in a frame.

Severity: -- → N/A
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.