Wouldn't it make more sense just to fix the URL bar to make data URIs look different? You could even go to the extreme of making it just show "data:…" and requiring you to put focus on it to find out the full URI.
I'm glad they aren't blocking explicit entries. This morning I discovered I could quickly send snippets of text to my phone by writing it as a data uri and sending the tab via Fx sync.
Depending on how exactly this block works, it may break an important functionality of our application :/<p>We generate SVG graphs in the browser, and have a button with a data:image/svg+xml URL to allow users to download these graphs, for example to include in a publication.
Hrm, I think this will block the only data uri I use: the 'this form' button on <a href="http://sprunge.us/" rel="nofollow">http://sprunge.us/</a>
Hopefully data:image/ still works for favicons. Embedding a highly compressible ~450 byte string in HTML is faster than issuing a new request, under most instances.
Does anyone have a (non-malicious) example of this sort of "attack"? I don't quite get it; some people are mentioning Javascript, but the description sounds more like a phishing, e.g. `data:text/html;base64,MyBank.com/account/xxxxx`<p>Presumably such leading junk is hidden in the rendered page, making the user think they're on MyBank.com?
I'm trying to figure out if this will kill Bookmarklets (<a href="https://en.wikipedia.org/wiki/Bookmarklet" rel="nofollow">https://en.wikipedia.org/wiki/Bookmarklet</a>)