Is it possible to use ipfs:// directly in an HTML file?

For example, here I have an image on IPFS:

ipfs://bafybeicxdw3tao7epuhmszjdhea7i53avirgw6fnp2k6gelmfhlg7ky3g4/

If I use it as img src in an HTML file:

<img src="ipfs://bafybeicxdw3tao7epuhmszjdhea7i53avirgw6fnp2k6gelmfhlg7ky3g4/" />

Try opening that file in Brave (the latest version with IPFS support), it would give me an net::ERR_BLOCKED_BY_CLIENT error.

In Chrome (with IPFS Companion and local node), error would be net::ERR_UNKNOWN_URL_SCHEME.

Is it possible to reference ipfs:// directly in HTML like that?

AFAIK that’s currently not possible in Brave in a document that’s loaded via http.

Is it because of any security or privacy ramifications?

If I use [ipfs://] as img src in an HTML file

TLDR If you use Brave v1.19 the ipfs:// scheme can be used for subresources only if the root document was also loaded from ipfs:// (or ipns://)

This behavior was implemented on purpose.
Mixed-protocol behavior on the web is an uncharted territory and we want to do it right, without introducing unnecessary unknowns on the regular web.

Click here for more context

Note that modern browsers are HTTP-centric and the only cross-protocol behavior that is well understood is http:// vs https:/, with the only difference being TLS wrapper. HTTP-HTTPS cross-protocol requests follow well understood rules and nearly all concerns are guided by the secure context state of each side.

ipfs:// is something new, with different characteristics. It is marked as “secure context” in web browser, you have access to Web APIs as on https:// page, but it is not HTTPS. Thanks to content-addressing user gets integrity verification (which is not present in https://), but then browser asks multiple peers for content (instead a single server).

Together with Brave we decided to not expose ipfs:// on http* documents, and take time to audit, research, and understand potential value and all ramifications first.

2 Likes