Not allowed to navigate top frame to data URL

Intent to Deprecate and Remove: Top-frame navigations to data URLs

Summary

We intend to block web pages from loading data: URLs in the top frame using tags, window.open, window.location and similar mechanisms.

Motivation

data: URLs are generally a source of confusion for users. Because of their unfamiliarity and ability to encode arbitrary untrusted content in a URL, they are widely being used in spoofing and phishing attacks. Another problem is that they can be passed along without a backing page that runs JavaScript (e.g. a data URL can be sent via email). For that reason, we intend to block top-frame navigations to data URLs.

We are considering two alternative implementations:

Alternative 1:

Block only content initiated top-frame navigations to data URLs, while still allowing direct navigations to them. Similar measures are already in place for other schemes such as “chrome:”, “chrome-devtools:” and more recently, “view-source:”.
In practice, these will be blocked:

Navigations when the user clicks on links in the form of

window.open(“data:…”)

window.location = “data:…”

Meta redirects

The following will still be allowed:

User navigating to the URL by typing or pasting it in the omnibox

Downloads from these protocols:

Via non-browser-handled MIME types

Via

Via “Save link as”

Alternative 2:

Block all top-frame navigations to data URLs. This only differs from (1) in that it will additionally block direct navigations (“User navigating to the URL by typing or pasting it in the omnibox”).

In both cases, subresources with data URLs (e.g.
,