The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests. Data URIs are sometimes referred to incorrectly as "data URLs". As of 2015, data URIs are fully supported by most major browsers, and partially supported in Internet Explorer and Microsoft Edge.
Contents
Syntax
The syntax of data URIs was defined in Request for Comments (RFC) 2397, published in August 1998, and follows the URI scheme syntax. A data URI consists of:
data:[<media type>][;base64],<data>data
. It is followed by a colon (:
).text/plain
. It can contain an optional character set parameter, separated from the preceding part by a semicolon (;
) . A character set parameter comprises the label charset
, an equals sign (=
), and a value from the IANA list of official character set names. If this parameter is not present, the character set of the content is assumed to be US-ASCII
(ASCII).base64
, separated from the preceding part by a semicolon. When present, this indicates that the data content of the URI is binary data, encoded in ASCII format using the Base64 scheme for binary-to-text encoding. Data URIs encoded in Base64 may contain whitespace for human readability.,
). The data is a sequence of octets represented as characters. Permitted characters within a data URI are the ASCII characters for the lowercase and uppercase letters of the modern English alphabet, and the Arabic numerals. Octets represented by any other character must be percent-encoded, as in %26
for an ampersand (&
).HTML
An HTML fragment embedding a picture of a small red dot:
CSS
A Cascading Style Sheets (CSS) rule that includes a background image:
JavaScript
A JavaScript statement that opens an embedded subwindow, as for a footnote link:
Malware and phishing
The data URI can be utilized by criminals to construct attack pages that attempt to obtain usernames and passwords from unsuspecting web users. It can also be used to get around site cross-scripting restrictions, embedding the attack payload fully inside the address bar, and hosted via URL shortening services rather than needing a full website that is owned by the criminal.