So I’m ramrodding the new Internet Explorer 8 beta yesterday, reading through a white paper or dozen, and all of a sudden I hit a brick wall.
During MIX 07, Internet Explorer platform architect Chris Wilson asked a developer why he would want data URL support in Internet Explorer. The answer given was “bullets and backgrounds.” And if Microsoft doesn’t change the way IE8 handles data URLs, that’s all data URLs will be good for!
Microsoft has chosen to make data URLs unnavigable and (from what I can tell) restricted to non-HTML data only, destroying the versatility of this technology. I can’t, for example, use a data URI to construct a complex web page on the fly (mostly because IE8 also imposes a 2 kilobyte URL limit). Likewise, I can’t paste the data URI of an image into the address bar and display it. The only reason given for these draconian restrictions is some illusive security threat that no other browser vendor can see.
Also, anything that could conceivably be done with data URIs could also be done with the barely-restricted Javascript URI.
The truly infuriating thing, though, is the size restriction placed on data URLs: the maximum is 32 kilobytes. Take this test case I wrote, for example:Both the image and background render perfectly in browsers that aren’t Internet Explorer, but only the smaller background image will render in IE8. This excruciatingly low limit serves no purpose other than to prevent the embedding of images larger than 32 kilobytes, and create a disconnect between data URI-capable browsers. I hope Microsoft will rethink its implementation of data URIs before IE8 goes gold, because this is just ridiculous.
During MIX 07, Internet Explorer platform architect Chris Wilson asked a developer why he would want data URL support in Internet Explorer. The answer given was “bullets and backgrounds.” And if Microsoft doesn’t change the way IE8 handles data URLs, that’s all data URLs will be good for!
Microsoft has chosen to make data URLs unnavigable and (from what I can tell) restricted to non-HTML data only, destroying the versatility of this technology. I can’t, for example, use a data URI to construct a complex web page on the fly (mostly because IE8 also imposes a 2 kilobyte URL limit). Likewise, I can’t paste the data URI of an image into the address bar and display it. The only reason given for these draconian restrictions is some illusive security threat that no other browser vendor can see.
Also, anything that could conceivably be done with data URIs could also be done with the barely-restricted Javascript URI.
The truly infuriating thing, though, is the size restriction placed on data URLs: the maximum is 32 kilobytes. Take this test case I wrote, for example:Both the image and background render perfectly in browsers that aren’t Internet Explorer, but only the smaller background image will render in IE8. This excruciatingly low limit serves no purpose other than to prevent the embedding of images larger than 32 kilobytes, and create a disconnect between data URI-capable browsers. I hope Microsoft will rethink its implementation of data URIs before IE8 goes gold, because this is just ridiculous.
Labels: Web Development
Huh? I don't see nuthin'
That's because Internet Explorer under version 8 doesn't support data URIs at all.
If it did, you'd be seeing this image.
I should update the thing to tell people that.
That is a much cooler image. My question though is - why make IE8 at all? Isn't IE7 perfect?
That pic totally frames Firefox for something it didn't do man!!
Why?!
I totally agree. If the data: protocol came out in 1995, we'd already know its actual attack vectors and restrict it in those contexts as we do with Javascript URIs.
But it's premature to arbitrarily restrict an emerging technology with such potential.
By encoding arbitrary binary filetypes as base64encoded data-URI's, malware scanners are unable to detect the malware unless they support decoding them in HTML files first.
AFAIK virusscanners don't do that yet. Also it would not enhance performance.
The website you are using to host that image (http://www.freewebtown.com/) has been reported as an attack site so cannot be viewed in Firefox 3 without turning safebrowsing off:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://www.freewebtown.com/roboshrub/data_uri.html
Fie and foo!
Thanks for alerting me. I've been transferring my files to a new host and forgot to change the links here.
"If the data: protocol came out in 1995, we'd already know its actual attack vectors and restrict it in those contexts as we do with Javascript URIs."
Data URLs have been around since at least 1998... You'd think 10 years would be enough.
http://tools.ietf.org/html/rfc2397
Sorry, I wrote the wrong date.
That means we're just three years from an epiphany!