Send As SMS


Ten thousand years of Roboshrub.

Fangs for the memories.

In today’s state, Roboshrub Incorporated is an entity entirely devoted
to the execution of what normal people would refer to as “bad ideas.”

It was the creator’s original idea that all concepts, whether
useful or not, contribute to the global subconscious level of progress
for the human race. Therefore, we contend that no idea is an unfit
idea, and vow to act on each and every one of them.

Roboshrub Inc.
Public Communications Department

Changes may not fully take effect until you reload the page.

For your insolence, I condemn you to...

Suffer the Fate of a Thousand Bees!
(Before they go extinct)

Print Logo


Microsoft Cripples Data URIs

So I’m ramrodding the new Internet Explorer 8 beta yesterday, reading through a white paper or dozen, and all of a sudden I hit a brick wall.

During MIX 07, Internet Explorer platform architect Chris Wilson asked a developer why he would want data URL support in Internet Explorer. The answer given was “bullets and backgrounds.” And if Microsoft doesn’t change the way IE8 handles data URLs, that’s all data URLs will be good for!

Microsoft has chosen to make data URLs unnavigable and (from what I can tell) restricted to non-HTML data only, destroying the versatility of this technology. I can’t, for example, use a data URI to construct a complex web page on the fly (mostly because IE8 also imposes a 2 kilobyte URL limit). Likewise, I can’t paste the data URI of an image into the address bar and display it. The only reason given for these draconian restrictions is some illusive security threat that no other browser vendor can see.

Also, anything that could conceivably be done with data URIs could also be done with the barely-restricted Javascript URI.

The truly infuriating thing, though, is the size restriction placed on data URLs: the maximum is 32 kilobytes. Take this test case I wrote, for example:Both the image and background render perfectly in browsers that aren’t Internet Explorer, but only the smaller background image will render in IE8. This excruciatingly low limit serves no purpose other than to prevent the embedding of images larger than 32 kilobytes, and create a disconnect between data URI-capable browsers. I hope Microsoft will rethink its implementation of data URIs before IE8 goes gold, because this is just ridiculous.


Processing 11×100 Robo-Comments:

Blogger Jon the Intergalactic Gladiator gesticulated...

Huh? I don't see nuthin'

3/06/2008 10:35 PM  
Blogger Gyrobo gesticulated...

That's because Internet Explorer under version 8 doesn't support data URIs at all.

If it did, you'd be seeing this image.

I should update the thing to tell people that.

3/06/2008 10:37 PM  
Blogger Professor Xavier gesticulated...

That is a much cooler image. My question though is - why make IE8 at all? Isn't IE7 perfect?

3/09/2008 4:26 PM  
Blogger Bathroom Hippo gesticulated...

That pic totally frames Firefox for something it didn't do man!!


3/11/2008 2:25 PM  
Anonymous Anonymous gesticulated...

Mozilla bug 255107 explains the data: URI security problem in much more detail and the XSS Cheat Sheet includes exploits that use it.

Seems to me that it's no better/worse than Javascript; just less well known and thus less well patrolled. I'm still a fan of data: URIs and Firefox so it's good to see MSIE8 snatch defeat from the jaws of victory.

5/08/2008 3:57 PM  
Blogger Gyrobo gesticulated...

I totally agree. If the data: protocol came out in 1995, we'd already know its actual attack vectors and restrict it in those contexts as we do with Javascript URIs.

But it's premature to arbitrarily restrict an emerging technology with such potential.

5/08/2008 4:17 PM  
Anonymous Anonymous gesticulated...

By encoding arbitrary binary filetypes as base64encoded data-URI's, malware scanners are unable to detect the malware unless they support decoding them in HTML files first.

AFAIK virusscanners don't do that yet. Also it would not enhance performance.

8/28/2008 8:16 AM  
Anonymous Anonymous gesticulated...

The website you are using to host that image ( has been reported as an attack site so cannot be viewed in Firefox 3 without turning safebrowsing off:

9/19/2008 7:59 PM  
Blogger Gyrobo gesticulated...

Fie and foo!

Thanks for alerting me. I've been transferring my files to a new host and forgot to change the links here.

9/20/2008 12:05 AM  
Anonymous Anonymous gesticulated...

"If the data: protocol came out in 1995, we'd already know its actual attack vectors and restrict it in those contexts as we do with Javascript URIs."

Data URLs have been around since at least 1998... You'd think 10 years would be enough.

9/24/2008 12:57 AM  
Blogger Gyrobo gesticulated...

Sorry, I wrote the wrong date.

That means we're just three years from an epiphany!

9/24/2008 8:57 AM