Just another short note... this is a somewhat compelling and entirely unnecessary phishing opportunity - and a tiny symptom of the mess with URL handling. Firefox and Opera allow you to omit MIME type in data: URLs, possibly put random garbage into that section, and still get a valid HTML document. This is a natural extension of how the Content-Type header is handled in HTTP, but probably makes little or no sense here. With the use of Unicode homographs, you can create fairly believable URLs especially in Firefox: http://lcamtuf.coredump.cx/switch/index2.html The appearance may vary depending on your font selection; see http://lcamtuf.coredump.cx/switch/reference.jpg for a sample capture. If you know the special role of "data:", this won't fool you. But most browser users don't, even if they grasp the basics of URL syntax to begin with (of course, that part itself is not true in all too many cases). PS. It is probably better known that a less convincing variant of this can be achieved with javascript: URLs in MSIE and some other browsers. /mz
