Limits on data URIs
- gemini://skyjake.fi/gemlog/2022-02_our-old-friend-the-data-url.gmi
- gemini://gemini.thegonz.net/glog/220213-extensibilityHolesAndClientDiversity.gmi
- gemini://skyjake.fi/gemlog/2022-02_re-holes-and-diversity.gmi
- gemini://rawtext.club/~nervuri/journal/2022-02-20_on-data-uris.gmi
In short, Lagrange v1.11 will support automatically displaying inline images embedded as "data:" URIs. This feature will be disabled by default and data URIs will only be auto-displayed if smaller than 8 KB. Skyjake outlines some potential benefits of data URIs in his post, as well as certain downsides. He writes:
My hope is that the Gemini specification will set a limit for link line URI length for non-Gemini schemes as it has for the Gemini scheme. Defining an arbitrary universal limit may prevent the proper use some schemes, but in the context of Gemtext this seems reasonable.
I agree that the specification should limit the scope for abuse. Limiting URI length is one idea, another is to add a few broad rules such as:
- no inline rendering of any resource pointed to by (or included into) an URI, unless knowingly triggered by the user (this may or may not include opt-ins like Lagrange will introduce);
- no inline auto-play, including GIFs (I can't believe this is becoming an issue);
- no code execution (by the way, there is also a "javascript:" scheme).
Alternatively, a rule specifically targeting data URIs could prohibit their inline rendering or limit it by maximum size and/or allowed MIME types.
Adding such things to the specification is perhaps inelegant, but it is better than leaving these holes unplugged.