Consider supporting data: and javascript: uris where possible

[kpreid]

Original issue 1558 created by jasvir on 2012-10-07T06:57:13.000Z:

The client-side URI policy explicitly drops all schemes that are not http, https or mailto. However, both some data: uris are supportable in the ES5/3 case and all data: and javascript: uris maybe supportable in the ES5 case. This bug is to track support for these URIs.

[kpreid]

Comment #1 originally posted by dougk16 on 2012-10-09T03:44:31.000Z:

The server also drops any schemes that are not http, https, or mailto, in UriPolicyNanny. Seems simple to add the scheme, but I'm sure some validation of the data uri is in order as well...maybe not in the scope of this issue though.

[kpreid]

Comment #2 originally posted by cgoldfeder@google.com on 2013-01-22T19:31:02.000Z:

Data uris would be very helpful for inline images. Would it help the security case if they were limited to being used for urls that hint as images? That would reduce the chance of dangerous content sniffing, I would think.

[kpreid]

Comment #3 originally posted by jasvir on 2013-01-22T19:40:46.000Z:

http://www.ietf.org/rfc/rfc2397.txt on parsing data uris.

[kpreid]

Comment #4 originally posted by francesco.barreca@injenia.it on 2013-09-01T12:12:47.000Z:

I'm trying to find out a way to insert a image in an HTML page through the Google Apps Script HTML Service using this type of notation.

<a href="http://www.britblog.com/"><img src="data:image/gif;base64,R0lGODlhUAAPAKIAAAsLav///88PD9WqsYmApmZmZtZfYmdakyH5BAQUAP8ALAAAAABQAA8AAAPb
WLrc/jDKSVe4OOvNu/9gqARDSRBHegyGMahqO4R0bQcjIQ8E4BMCQc930JluyGRmdAAcdiigMLVr
ApTYWy5FKM1IQe+Mp+L4rphz+qIOBAUYeCY4p2tGrJZeH9y79mZsawFoaIRxF3JyiYxuHiMGb5KT
kpFvZj4ZbYeCiXaOiKBwnxh4fnt9e3ktgZyHhrChinONs3cFAShFF2JhvCZlG5uchYNun5eedRxM
AF15XEFRXgZWWdciuM8GCmdSQ84lLQfY5R14wDB5Lyon4ubwS7jx9NcV9/j5+g4JADs=
" alt="British Blog Directory" width="80" height="15" /></a>

Using a simple HTML file in the apps script editor, the data image part in it, isn't considered.

The same happens with a downlodable attachment I want to show with Html Service:

<img src='" + get_icon_src(filename) + "'></img><a href='data:application/octet-stream;base64," + b64body + "' download='" + filename + "'>" + filename + "</a> 

[kpreid]

Comment #5 originally posted by kpreid@google.com on 2013-11-11T19:26:56.000Z:

<empty>

[kpreid]

Comment #6 originally posted by paul@lucidchart.com on 2013-12-17T18:23:53.000Z:

The javascript: URIs may have security concerns, but it seems relatively straightforward to use data: URIs, particularly for images.

I am trying to make a Google Apps Script add-on that has images requiring authentication. Inline images would make this work.

[telamonian]

Has there been any movement on this issue? In a roundabout way, the lack of support for <img src="data:image/gif;base64,R0lGODl... type tags is preventing me (and everyone else) from embedding images directly in IPython Notebooks.

[tapananand]

Hi, Any movement on this?

[kpreid]

New features for Caja are pretty much on hold for the time being. However, if you'd like to write a patch to add this one we'd be happy to review and incorporate it.