For example, here I have an image on IPFS:
If I use it as img src in an HTML file:
<img src="ipfs://bafybeicxdw3tao7epuhmszjdhea7i53avirgw6fnp2k6gelmfhlg7ky3g4/" />
Try opening that file in Brave (the latest version with IPFS support), it would give me an
In Chrome (with IPFS Companion and local node), error would be
Is it possible to reference ipfs:// directly in HTML like that?
AFAIK that’s currently not possible in Brave in a document that’s loaded via http.
Is it because of any security or privacy ramifications?
If I use [
ipfs://] as img src in an HTML file
TLDR If you use Brave v1.19 the
ipfs:// scheme can be used for subresources only if the root document was also loaded from
This behavior was implemented on purpose.
Mixed-protocol behavior on the web is an uncharted territory and we want to do it right, without introducing unnecessary unknowns on the regular web.
Click here for more context
Note that modern browsers are HTTP-centric and the only cross-protocol behavior that is well understood is http:// vs https:/, with the only difference being TLS wrapper. HTTP-HTTPS cross-protocol requests follow well understood rules and nearly all concerns are guided by the secure context state of each side.
ipfs:// is something new, with different characteristics. It is marked as “secure context” in web browser, you have access to Web APIs as on
https:// page, but it is not HTTPS. Thanks to content-addressing user gets integrity verification (which is not present in
https://), but then browser asks multiple peers for content (instead a single server).
Together with Brave we decided to not expose
http* documents, and take time to audit, research, and understand potential value and all ramifications first.