'data:image' data links in page info. How to identify location/allow retrieval without turning off tracker blocking?
One of the sites I regularly use (tesco.com) seems to have changed the way it gets thumbnail images of products, so that they no longer show up unless I turn off script blocking for a whole page. (Once I've got one page working, it continues working for the other pages, even if scripts are 'blocked' on those!?)
In the page info I see that the non showing images are only represented by 'data:image' followed by gif.64 and a long string of letters. I understand that this is an html link converted to data, but I don't know why, and have never seen this before. If I copy the 'link' into a new tab, it just goes to a black page. One time I did get a warning pop up from 'NoScript' that the page was doing some dodgy sort of call out, and 'did I want to disable it on this site'. I think it said the call out was to one of the Google sites, but I can't find any way to show this information when NoScript isn't warning me about it; and I can't seem to make 'NoScript' do the pop up every time I try to search with the data link: most times it just goes to the black page: only once or twice has it showed me the warning. I don't understand what's going on. :/
First time 'NoScript' gave the warning, I opted to 'allow this linking for this page', and the thumbnails then showed up, and the 'data:image' link info was replaced with a normal link to a jpg picture (odd because the data link had been prefixed 'gif;64' ?). I then wanted to know which script to enable for future use, but, when I disabled all the page scripts again, the thumbnails stayed there, and continued to work on the whole site: not just the current page!
When I logged out, and came back to continue shopping later, whatever the setting was, had been lost, and I had to go through the rigmarole of allowing all scripts, to get the thumbnails to show, and then turning off all but the main domain permission afterwards.
Can someone please explain what these data links are, and how to see where they are really aimed/what site a picture is actually on, before just letting them connect. And so how to allow just the exception that's needed to show the thumbnails.
Sorry if this sounds dumb, but it's all new to me.
Many thanks for any enlightenment.
Všetky odpovede (4)
A data URI encoding an image usually would be self-contained and not require a second site. For example, in: https://en.wikipedia.org/wiki/Data_URI_scheme
Did you get the NoScript popup for a cross-site request? I see those from time to time but I haven't read one carefully for years so I don't remember exactly what they say.
A data URI like data:image/gif;base64,<base64 encoded image data> is a valid image that in embedded in the page code and doesn't need to be downloaded. If you paste this full data URI in the location bar then you should see the image.
Such data URIs are also used in the Firefox code.
Thanks for the super quick replies guys!
jscher2000: the Wiki reference looks pretty comprehensive, but I'm afraid I don't know enough of the basics of page design to be able to understand it without doing a lot of background reading first. Yes: the NoScript pop up was for a 'cross-site request', and there was a header with an html link mentioning Google. Unfortunately, when I saw there was a simple option to allow it on the page, I just selected it, without realising I would find it difficult to see again, or I'd have snipped it first. I kind of imagined this must mean that Tesco was using a Google cloud image database rather than keeping everything in the page from the start.
Thanks cor-el: That's what I tried to do. The first time, I got the 'cross-site request' pop up; most of the rest of the time I just got a black page. Once the scripts have been universally allowed for the page, the links in the page info revert to normal links ending in jpg, and the thumbnails go on working for the whole site, even if I revert the NoScript settings to default blocks-- until I log out and come back later--when it starts again.
Not a great inconvenience to do this, but if it's happening for others, they might think the site is broken, and give up.
I had another look at the Tesco site, and tried combinations of blocked and unblocked trackers again, to see if I'd missed something, and if I could make the xss warning come up again.
For cor-el to look at, I've included the snip of what the image data links produce when searched for in a new tab before enabling anything.
I couldn't make the cross-site warning come up again, but, *I did* discover that, for the images to show, Bing had to be enabled! I've never used Bing, so this seems rather odd. :/
I read a bit more of the NoScript user guide, and it mentions using the 'console' to see the individual script error messages. Following the guide's links, I find that the console is 'deprecated' now. I hit ctrl/shift/j to see what would happen, and did get a list of errors and other info, but it was only for the last half hour or so. Is there a way to look at errors from when the cross-site warning popped up yesterday?