Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.
Resource URLs, URLs prefixed with the
resource: scheme, are used by
Firefox and Firefox browser extensions to load resources internally, but some of the
information is available to sites the browser connects to as well.
Resource URLs are composed of two parts: a prefix (
resource:), and a URL
pointing to the resource you want to load:
When arrows are found in the resource URL's ('->'), it means that the first file loaded the next one:
resource://<File-loader> -> <File-loaded>
Please refer to Identifying resources on the web for more general details.
In this article, we focus on resource URIs, which are used internally by Firefox to point to built-in resources.
Because some of the information shared by
resource: URLs is available to
websites, a web page could run internal scripts and inspect internal resources of
Firefox, including the default preferences, which could be a serious security and
For example, a script on Browserleaks highlights what Firefox reveals when queried by a simple script running on the site (you can find the code in https://browserleaks.com/firefox#more).
The file firefox.js passes preference names and values to the pref() function. For example:
Web sites can easily collect Firefox default preferences by overriding this
pref() function and using the script
Furthermore, some default values of preferences differ between build configurations, such as platform and locale, which means web sites could identify individual users using this information.
In order to fix this problem, Mozilla changed the behavior of loading resource: URIs in Firefox bug 863246, which landed in Firefox 57 (Quantum).
In the past, web content was able to access whatever
resource: URIs were
desired — not only Firefox's internal resources, but also extensions' assets. Now this
behavior is prohibited by default.
It is however still necessary for Firefox to load resources in web content under
certain circumstances. For example, if you open the view source page (View Page Source
or View Selection Source), you will find it requires
resource: URI. Resources that have to be exposed to web content have
been moved to a new location named
resource://content-accessible/, which is
isolated and only contains non-sensitive resources. In this way we can keep essential
resources exposed and have most threats eliminated.
Note: It is recommended that web and extension developers don't try to use resource URLs anymore. Their usage was hacky at best, and most usage won't work any more.
resource: is not defined in any specification.
resource: is Firefox only.