===No data: URIs unless opted-in to via explicit policy===
<font color="#a00">
* RestrictedUser Agents MUST block:** data: URIs when used as a source for inline content
</font>
<font color="#060">
* AllowedUser Agents MUST not block:** data: URIs when used as a source for inline content when explicitly opted-in to, e.gallowed by the protected document's policy. X-Content-Security-Policy: allow self; img-src data:
</font>
* Justification:** The data: URI scheme is designed to allow the loading of arbitrary textual or binary data into User Agents MUST generate and send a document, including HTML, scripts, images, media files, etc.** data: URIs are a potential vector for HTML and script injection which can be used by an attacker for XSS or website defacement.** The increase in attack surface created by data: URIs, and additional input sanitization required by sites wishing to use them justifies violation report with the opt-in requirement for fields set appropriately when this feature in CSP.* Vulnerability types mitigated:*# data: URL script injection* data: URIs can be re-enabled by adding "data:" as a source to any source directive. For example: <tt>img-src data: https://my-host.com</tt>base restriction is violated.
===XBL bindings must come from chrome: or resource: URIs===
