Handling of `<a href="data:...">`

[evilpie]

We allow anchors in the default configuration and only restrict javascript: URLs. data: URLs (especially inside an iframe) might look like XSS: https://x.com/KwanAleister/status/1985542748930523233

Personally I don't think data: URLs are special here, you could also link to a HTTP page that shows an alert. I filed this issue mainly for tracking.

[mozfreddyb]

The screenshot shared above looks scarier than it is because this test bed uses an iframe, that is navigated to data. In a more realistic setting, setHTML() would be used in the page itself and clicking the link would navigate to a new page and the address bar would update.

[mozfreddyb]

On another note, I'm not sold this is a bug we want to fix. But given the. current API design I think it's a bit of a dilemma

1. If we disallowed data URLs in links by default, how would we give users control to allow it given the current API shape? We would require a somewhat high-level function or boolean option that is sort of extra to all of the thingsl "allowDataURLLinks". Seems kinda ugly

2. If we keep the existing behavior, how would users disallow data URL links themselves? Call setHTML and then .querySelector(a) and manually edit all in a loop? Also not great.

[annevk]

I think 2 is what we decided on a long time ago. data: URLs are not all that different from a cross-origin URL, especially when a nested document is concerned.