Data URL Encodings

The following are interesting Data URL encoding examples. They demonstrate that the subresource integrity check accepts as src both an external URL and a Data URL. They’re interchangeable while the hash remains the same.

data:text/html,<script integrity='sha256-zC+dNFewSYDLmqdv0OvyUhKfUWXlfIySrKfYzjgxuA4=' src='https://coins.github.io/secure-bookmark/encodings/foo.js' crossorigin></script>
data:text/html,<script integrity='sha256-sFHon+re/xKBUEHD0J8Vw0kJzU3Lmz9pBEan/YVLNdg='  src='data:application/javascript,s=document.createElement(`script`);s.integrity=`sha256-zC+dNFewSYDLmqdv0OvyUhKfUWXlfIySrKfYzjgxuA4=`;s.src=location.hash.substr(1);s.crossOrigin=1;document.head.append(s)'></script>#data:application/javascript;base64,YWxlcnQoJ1NvdXJjZSBpbnRlZ3JpdHkgdmVyaWZpZWQhJykK
data:text/html,<script integrity='sha256-sFHon+re/xKBUEHD0J8Vw0kJzU3Lmz9pBEan/YVLNdg='  src='data:application/javascript,s=document.createElement(`script`);s.integrity=`sha256-zC+dNFewSYDLmqdv0OvyUhKfUWXlfIySrKfYzjgxuA4=`;s.src=location.hash.substr(1);s.crossOrigin=1;document.head.append(s)'></script>#data:application/javascript,alert('Source%20integrity%20verified!')%0A
data:text/html,<script integrity='sha256-sFHon+re/xKBUEHD0J8Vw0kJzU3Lmz9pBEan/YVLNdg='  src='data:application/javascript,s=document.createElement(`script`);s.integrity=`sha256-zC+dNFewSYDLmqdv0OvyUhKfUWXlfIySrKfYzjgxuA4=`;s.src=location.hash.substr(1);s.crossOrigin=1;document.head.append(s)'></script>#https://coins.github.io/secure-bookmark/encodings/foo.js
data:text/html,<script integrity='sha256-sFHon+re/xKBUEHD0J8Vw0kJzU3Lmz9pBEan/YVLNdg='  src='data:application/javascript;base64,cz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KGBzY3JpcHRgKTtzLmludGVncml0eT1gc2hhMjU2LXpDK2RORmV3U1lETG1xZHYwT3Z5VWhLZlVXWGxmSXlTcktmWXpqZ3h1QTQ9YDtzLnNyYz1sb2NhdGlvbi5oYXNoLnN1YnN0cigxKTtzLmNyb3NzT3JpZ2luPTE7ZG9jdW1lbnQuaGVhZC5hcHBlbmQocyk'></script>#https://coins.github.io/secure-bookmark/encodings/foo.js

Top-Level Navigation

Top-level navigation to Data URLs is disabled in Chrome and Firefox. Fortunately we can use pushState to store data persistently before bookmarking the URL:

history.pushState(0,0,location.href+'#data')