Data URI scheme: Difference between revisions

{{Lowercase title}}The '''data URI scheme''' is a [[Uniform resource identifier|uniform resource identifier (URI)]] scheme that provides a way to include data in-line in [[Web page]]s as if they were external resources. It is a form of file literal or [[here document]]. This technique allows normally separate elements such as images and style sheets to be fetched in a single [[Hypertext Transfer Protocol|Hypertext Transfer Protocol (HTTP)]] request, which may be more efficient than multiple HTTP requests,<ref>{{cite web|url=http://blog.teamtreehouse.com/using-data-uris-speed-website|title=Using Data URIs to Speed Up Your Website|date=27 March 2014|publisher=Treehouse Blog}}</ref> and used by several browser extensions to package images as well as other multimedia contents in a single HTML file for page saving.<ref>{{cite web|url=https://chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle|title=SingleFile - Chrome Web Store|website=Chrome Web Store|accessdateaccess-date=25 August 2018}}</ref><ref>{{cite web|url=https://addons.mozilla.org/en-US/firefox/addon/single-file/|title=SingleFile – Add-ons for Firefox|website=Firefox Add-ons|accessdateaccess-date=25 August 2018}}</ref> {{As of|2015}}, data URIs are fully supported by most major browsers, and partially supported in [[Internet Explorer]] and [[Microsoft Edge]].<ref>{{cite web|url=http://caniuse.com/#feat=datauri|title=Can I use...|first=Alexis|last=Deveria|date=July 2015|accessdateaccess-date=31 August 2015}}</ref>

The syntax of data URIs was defined in [[Request for Comments|Request for Comments (RFC)]] 2397, published in August 1998,<ref>{{cite web|url=http://tools.ietf.org/html/rfc2397|title=RFC 2397 - The "data" URL scheme|author=Masinter, L|publisher=[[Internet Engineering Task Force]]|date=August 1998|accessdateaccess-date=2008-08-12}}</ref> and follows the [[Uniform resource identifier#Generic syntax|URI scheme syntax]]. A data URI consists of:

* An optional '''media type'''. The media type part may include one or more parameters, in the format <code>attribute=value</code>, separated by semicolons (<code>;</code>) . A common media type parameter is <code>charset</code>, specifying the character set of the media type, where the value is from the IANA list of [[character set]] names.<ref>{{cite web|url=https://www.iana.org/assignments/character-sets/character-sets.xhtml|title=Character Sets|editor1-first=Ned|editor1-last=Freed|editor2-first=Martin|editor2-last=Dürst|publisher=[[Internet Assigned Numbers Authority]]|date=20 December 2013|accessdateaccess-date=31 August 2015}}</ref> If one is not specified, the [[media type]] of the data URI is assumed to be <code>text/plain;charset=US-ASCII</code>.

* The '''data''', separated from the preceding part by a comma (<code>,</code>). The data is a sequence of zero or more [[octet (computing)|octets]] represented as characters. The comma is required in a data URI, even when the data part has zero length. The characters permitted within the data part include ASCII upper and lowercase letters, digits, and many ASCII punctuation and special characters. Note that this may include characters, such as colon, semicolon, and comma which are delimiters in the URI components preceding the data part. Other octets must be [[percent-encoding|percent-encoded]]. If the data is Base64-encoded, then the data part may contain only valid Base64 characters.<ref name="rfc3986">{{cite web|url=http://tools.ietf.org/html/rfc3986|title=Uniform Resource Identifiers (URI): Generic Syntax|author1-first=Tim|author1-last=Berners-Lee|author1-link=Tim Berners-Lee|author2-first=Roy|author2-last=Fielding|author2-link=Roy Fielding|author3-first=Larry|author3-last=Masinter|publisher=[[Internet Engineering Task Force]]|date=January 2005|accessdateaccess-date=31 August 2015}}</ref> Note that Base64-encoded <code>data:</code> URIs use the standard Base64 character set (with '<code>+</code>' and '<code>/</code>' as characters 62 and 63) rather than the so-called "[[Base64#URL_applications|URL-safe Base64]]" character set.

The data URI can be utilized to construct attack pages that attempt to obtain usernames and passwords from unsuspecting web users. It can also be used to get around [[cross-site scripting]] (XSS) restrictions, embedding the attack payload fully inside the address bar, and hosted via URL shortening services rather than needing a full website that is controlled by a third party.<ref>Phishing without a webpage – researcher reveals how a link itself can be malicious, Naked Security by Sophos, 31 AUG 2012 https://nakedsecurity.sophos.com/2012/08/31/phishing-without-a-webpage-researcher-reveals-how-a-link-itself-can-be-malicious/</ref> As a result, some browsers now block webpages from navigating to data URIs.<ref>{{cite web|title=Data URLs - HTTP &#124; MDN|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs#Common_problems|website=MDN Web Docs|publisher=Mozilla|accessdateaccess-date=11 May 2018}}</ref>