Area
|
Quotation
|
Comment
|
Specification
|
1. Abstract
A new URL scheme, "data", is defined. It allows inclusion of small
data items as "immediate" data, as if it had been included
externally.
|
(list
of RFC defined URL schemes)
|
| Specification |
Some applications that use URLs also have a need to embed (small)
media type data directly inline. This document defines a new URL
scheme that would work like 'immediate addressing'.
|
specific size limitations and
security implications are provided below.
|
| Scheme |
data:[<mediatype>][;base64],<data>
|
|
Test
|
The <mediatype> is an Internet media type specification (with
optional parameters.)
...
If <mediatype> is omitted, it defaults to text/plain;charset=US-ASCII.
As a shorthand, "text/plain" can be omitted but the charset parameter supplied.
|
supports i18n
test no media type
test literal:
text/plain;charset=US-ASCII
test shortened:
text/plain
|
Test
|
The appearance of ";base64" means that the data
is encoded as base64. Without ";base64", the data (as a sequence of
octets) is represented using ASCII encoding for octets inside the
range of safe URL characters and using the standard %xx hex encoding
of URLs for octets outside that range.
|
|
Specification
|
The "data:" URL scheme is only useful for short values. Note that
some applications that use URLs may impose a length limit; for
example, URLs embedded within <A> anchors in HTML have a length limit
determined by the SGML declaration for HTML [RFC1866]. The LITLEN
(1024) limits the number of characters which can appear in a single
attribute value literal, the ATTSPLEN (2100) limits the sum of all
lengths of all attribute value specifications which appear in a tag,
and the TAGLEN (2100) limits the overall length of a tag.
|
test limits to lengths
|
Specification
|
The "data" URL scheme has no relative URL forms.
|
no hierarchial URL testing needed
|
Test
|
3. Syntax
dataurl := "data:" [ mediatype ] [ ";base64" ] "," data
mediatype := [ type "/" subtype ] *( ";" parameter )
data := *urlchar
parameter := attribute "=" value
where "urlchar" is imported from [RFC2396], and "type", "subtype",
"attribute" and "value" are the corresponding tokens from [RFC2045],
represented using URL escaped encoding of [RFC2396] as necessary.
|
test "data:"
test "data:,"
test w/ no "'" after ":"
can you have more than 1 parameter?
|
| Specification |
Attribute values in [RFC2045] are allowed to be either represented as
tokens or as quoted strings. However, within a "data" URL, the
"quoted-string" representation would be awkward, since the quote mark
is itself not a valid urlchar. For this reason, parameter values
should use the URL Escaped encoding instead of quoted string if the
parameter values contain any "tspecial".
|
test w/ quoted-string.
|
Specification
|
The ";base64" extension is distinguishable from a content-type
parameter by the fact that it doesn't have a following "=" sign.
|
content-type cannot be "base64"
base64 cannot be followed by "="
|
Test
|
data:,A%20brief%20note
|
|
Test
|
<IMG
SRC="data:image/gif;base64,R0lGODdhMAAwAPAAAAAAAP///ywAAAAAMAAw
AAAC8IyPqcvt3wCcDkiLc7C0qwyGHhSWpjQu5yqmCYsapyuvUUlvONmOZtfzgFz
ByTB10QgxOR0TqBQejhRNzOfkVJ+5YiUqrXF5Y5lKh/DeuNcP5yLWGsEbtLiOSp
a/TPg7JpJHxyendzWTBfX0cxOnKPjgBzi4diinWGdkF8kjdfnycQZXZeYGejmJl
ZeGl9i2icVqaNVailT6F5iJ90m6mvuTS4OK05M0vDk0Q4XUtwvKOzrcd3iq9uis
F81M1OIcR7lEewwcLp7tuNNkM3uNna3F2JQFo97Vriy/Xl4/f1cf5VWzXyym7PH
hhx4dbgYKAAA7"
ALT="Larry">
|
test as inline image
|
Test
|
data:text/plain;charset=iso-8859-7,%be%fg%be
|
|
Test
|
data:application/vnd-xxx-
query,select_vcount,fcol_from_fieldtable/local
|
|
Trivia
|
This idea was originally proposed August 1995. Some versions of the
data URL scheme have been used in the definition of VRML, and a
version has appeared as part of a proposal for embedded data in HTML.
Various changes have been made, based on requests, to elide the media
type, pack the indication of the base64 encoding more tightly, and
eliminate "quoted printable" as an encoding since it would not easily
yield valid URLs without additional %xx encoding, which itself is
sufficient. The "data" URL scheme is in use in VRML, new applications
of HTML, and various commercial products. It is being used for object
parameters in Java and ActiveX applications.
|
used in VRML, Java and ActiveX.
|
Warnings
|
Interpretation of the data within a "data" URL has the same security
considerations as any implementation of the given media type. An
application should not interpret the contents of a data URL which is
marked with a media type that has been disallowed for processing by
the application's configuration.
Sites which use firewall proxies to disallow the retrieval of certain
media types (such as application script languages or types with known
security problems) will find it difficult to screen against the
inclusion of such types using the "data" URL scheme. However, they
should be aware of the threat and take whatever precautions are
considered necessary within their domain.
The effect of using long "data" URLs in applications is currently
unknown; some software packages may exhibit unreasonable behavior
when confronted with data that exceeds its allocated buffer size.
|
data: URLs should be sent
through normal MIME security mechanism.
data: may not be recognized by firewalls.
buffer size problems should be tested.
|
References
|
References
[RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter,
"Uniform Resource Identifiers (URI): Generic Syntax", RFC
2396, August 1998.
[RFC1866] Berners-Lee, T., and D. Connolly, "Hypertext Markup
Language - 2.0.", RFC 1866, November 1995.
[RFC2045] Freed N., and N. Borenstein., "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.
|
|