Hubbry Logo
View-source URI schemeView-source URI schemeMain
Open search
View-source URI scheme
Community hub
View-source URI scheme
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
View-source URI scheme
View-source URI scheme
View-source URI scheme
View on Wikipedia
from Wikipedia

The view-source URI scheme is used by some web browsers to construct URIs that result in the browser displaying the source code of a web page or other web resource.[1]

For example, the URI view-source:https://example.com should show the source of the page located at https://example.com.

In the early Internet, the View Source technique helped people learn by example to create their own web pages.[2]

On 25 May 2011, the 'view-source' URI scheme was officially registered with IANA[3] per RFC 4395.

Browser support

[edit]

Firefox and Internet Explorer both supported the scheme, but support was dropped from Internet Explorer in Windows XP SP2 due to security problems.[4] Firefox also suffered a similar security issue (by combining view-source and JavaScript URIs[5]), but still supported it in Firefox 1.5[6] after being fixed. In 2009, a new discovered bug was fixed in Firefox 3.0.9.[7]

Browser Supported?
Mozilla Firefox supported[8]
SeaMonkey supported
Netscape supported
Internet Explorer 4, 5 and 6 supported
Internet Explorer 6, 7, and 8 not supported after Windows XP SP2
Safari 3.2.1 supported
Safari 5, 6 not supported
Opera 7, 8, 9, 10, 11 not supported
Opera 15 and up supported
Google Chrome supported[9]
Web supported
HP webOS via third-party app (Internalz Pro)[10]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

View-source URI scheme

View on Grokipedia
from Grokipedia
The view-source URI scheme is a provisional Uniform Resource Identifier (URI) scheme designed to reference and display the source code of a resource identified by an absolute URI, allowing users to inspect the underlying content without executing it. Primarily implemented in web browsers, it prepends view-source: to a standard URI, such as view-source:https://example.com, to render the fetched resource's raw source—typically as plain text in UTF-8 encoding—rather than its interpreted form. This scheme facilitates debugging, learning, and analysis of web content but is not universally standardized beyond its provisional status. Specified in (IETF) draft document from 2011, the syntax follows Augmented Backus-Naur Form (ABNF) as view-source-uri = "view-source:" absolute-URI, where absolute-URI adheres to RFC 3986. Semantically, applications must retrieve the resource via its embedded URI and present its source code, often in a text/plain or text/html media type, while handling edge cases like non-HTTP URIs (e.g., tel:) by displaying a blank or zero-length response. Encoding follows standard URI percent-encoding rules from RFC 3986, ensuring compatibility with diverse resource types. In practice, the scheme is supported by most modern web browsers, including Mozilla Firefox and Google Chrome, enabling direct entry in address bars or hyperlink usage to view sources without loading the full page. However, implementations vary in display formatting, with no mandated styling beyond basic text representation, and older browsers like Internet Explorer discontinued support for security reasons. Security considerations include the potential exposure of confidential or copyrighted source material, requiring user caution to avoid unintended data leaks, as outlined in general URI security guidelines. The scheme's change controller is Mykyta Yevstifeyev, and it remains unregistered as permanent due to its application-specific nature.

Definition and Purpose

Definition

The view-source URI scheme is a specialized protocol that allows applications, particularly web browsers, to display the raw of a identified by an absolute URI, rather than rendering or interpreting its content. It is invoked by prepending "view-source:" to the absolute URI, instructing the client to fetch the resource and present it in a non-executable format, such as , thereby preventing the execution of embedded scripts, styles, or other dynamic elements. This scheme is registered with the (IANA) as a provisional URI scheme, following the registration procedures outlined in RFC 7595. The formal specification defines its syntax as view-source-uri = "view-source:" absolute-URI, where absolute-URI adheres to the generic syntax in RFC 3986, ensuring compatibility with existing URI structures. Semantically, it focuses on exposing the unaltered bytes returned by the server for resources like documents, typically encoded in as per RFC 3629, without applying client-side processing. In contrast to standard URI schemes such as or , which emphasize fetching, , and rendering resources for user interaction, the view-source scheme prioritizes transparency by delivering the raw source data directly, enabling inspection without the risks associated with active content execution. This distinction underscores its role in diagnostic and educational contexts within web applications.

Purpose and Benefits

The view-source URI scheme primarily enables users to inspect the raw of web resources, such as , CSS, and , directly within a without modifying or executing the original page content. This functionality allows developers and learners to examine the unprocessed markup and scripts as they are retrieved from the server, facilitating by revealing discrepancies between intended code and rendered output. For instance, it helps identify issues like malformed tags or unexpected server-side alterations that might not be apparent in the browser's visual representation. One key benefit of the view-source scheme is its embodiment of the "view source" effect, a foundational of web architecture that promotes transparency and ease of learning by making data formats human-readable and accessible. This approach simplifies the acquisition of expertise in web technologies, as users can directly study and experiment with using basic text tools, fostering innovation and without requiring specialized software. By demystifying how web pages are constructed, it has historically contributed to the web's growth as an open, educational platform. In modern contexts, the scheme enhances developer workflows through seamless integration with browser tools, allowing quick source inspection during active sessions to verify site authenticity or troubleshoot dynamic content generation. It supports educational transparency by enabling users to scrutinize potentially deceptive pages, such as those with hidden scripts, thereby reinforcing trust in web resources. Additionally, its non-executable nature provides a secure method for analysis, preventing accidental activation of malicious code during review.

Syntax and Usage

Syntax

The view-source URI scheme is formally defined using Augmented Backus-Naur Form (ABNF) as view-source: immediately followed by an absolute URI, where the absolute URI conforms to the generic syntax outlined in RFC 3986, Appendix A. This structure ensures that the scheme acts solely as a prefix wrapper around a fully qualified resource identifier, without modifying or reinterpreting the underlying URI's components, such as the scheme, authority, path, query, or fragment. For instance, a valid construction might appear as view-source:http://[example.com](/page/Example.com) or view-source:[https](/page/HTTPS)://[example.com](/page/Example.com)/page.[html](/page/HTML)?param=value#fragment, preserving the base URI's syntax and parameters intact for retrieval and display. Relative URIs are explicitly not permitted within the view-source scheme; only absolute URIs are supported to guarantee unambiguous resolution to the target resource's source code. The scheme itself introduces no additional syntactic elements or alterations to the base URI's handling of query parameters or fragments, which are processed according to the rules of the embedded URI's scheme (e.g., HTTP or HTTPS). In web contexts, this primarily applies to HTTP and HTTPS URIs, where the source code—typically HTML, CSS, or JavaScript—is displayed as plain text in UTF-8 encoding. For edge cases involving non-HTTP schemes, such as view-source:file:///local.html, support is implementation-dependent on the (e.g., ), which may display the file's contents if local file access is permitted, though the primary emphasis remains on web-based . In such scenarios, if the base URI does not reference a data-bearing , applications are recommended to resolve it to a zero-length response with text/plain media type and encoding.

Usage Examples

One common way to use the view-source URI scheme is by entering it directly into a web browser's address bar, such as view-source:https://www.example.com, which prompts the browser to fetch and display the raw source code of the specified page as plain text without rendering it. This approach allows users to inspect the original markup sent from the server, including any server-side generated content. In more advanced scenarios, the scheme can be incorporated into hyperlinks to provide on-demand source viewing. For example, an anchor element like <a href="view-source:https://www.site.com/page.html" rel="nofollow">View Page Source</a> enables users to click and open the in a new tab or window, depending on the browser's handling of the URI. Similarly, can leverage the scheme for quick access; a such as javascript:window.location='view-source:'+window.location.href; redirects the current page to its view-source equivalent, facilitating instant inspection without manual typing. These methods are often combined with browser developer consoles, where the scheme URI can be executed via the console for dynamic source examination during active sessions. The view-source scheme supports several common workflows in web development and education. Developers frequently use it for debugging by comparing the unrendered source—accessed via the address bar or a hyperlink—to the browser's DOM inspector, helping identify discrepancies caused by client-side modifications like JavaScript injections or CSS overrides. In educational contexts, instructors demonstrate web fundamentals by directing students to enter or link to view-source URIs of simple pages, allowing learners to study HTML structure, tags, and attributes directly from real-world examples without needing separate tools. This hands-on approach highlights how browsers interpret markup, making abstract concepts tangible for beginners.

History

Early Development

The view-source URI scheme originated from the need in early web browsers to provide users with access to the underlying source code, promoting education and transparency in the emerging . This capability was first implemented in ViolaWWW, an experimental browser developed starting in 1991 and released in 1992 by Pei-Yuan Wei at the . ViolaWWW featured a dedicated source viewer, allowing users to inspect the raw hypertext markup without editing capabilities, which supported learning and experimentation in the academic environment where the web was initially developed. Building on ViolaWWW's innovations, NCSA introduced a more user-friendly source viewing mechanism upon its release on April 22, 1993. included a "View Source" option accessible via the File menu, displaying the complete code of any loaded document in a separate window. This feature was designed to demystify construction for non-experts, encouraging widespread adoption and self-teaching among users in the nascent web era by revealing how text, images, and links were encoded. The view-source functionality achieved broad popularity and refinement with 1.0, released on December 15, 1994, which marked the first major commercial . Netscape integrated source viewing as a menu item, making it far more intuitive than previous implementations. This approach not only facilitated quick inspection for educational purposes but also influenced competing browsers, establishing informal precedents for URI-based access to —such as prefixing URLs with "view-source:" in the —long before any official registration.

Standardization

The 'view-source' URI scheme was provisionally registered with the (IANA) on May 25, 2011, following the guidelines outlined in RFC 4395 for URI scheme registration procedures. This registration defines the scheme as a mechanism for displaying the source code of a resource identified by an absolute URI, without executing it, allowing applications—particularly web browsers—to render the content typically as plain text encoded in UTF-8. The provisional status, rather than permanent, reflects that the scheme's primary specification remains an Internet-Draft rather than a full (RFC). The formal specification effort began with Internet-Draft draft-yevstifeyev-view-source-uri-01, authored by Mykyta Yevstifeyev and published on April 23, 2011. This draft formalized the syntax and intent of the scheme, specifying it as 'view-source:' followed by an absolute URI (per RFC 3986), and recommending display formats such as text/plain or in encoding to ensure consistent representation of the source code. Although the draft did not progress to full RFC status and expired in October 2011, its provisional registration with IANA enabled widespread browser implementations by providing an official reference for interoperability. This standardization marked a significant from the scheme's earlier ad-hoc adoption as a browser-specific feature in the to a recognized URI scheme, promoting cross-browser consistency and reducing implementation uncertainties post-2011. Subsequent updates in browser engines, such as enhanced syntax parsing and security alignments with URI standards like RFC 3986, have built on this foundation to maintain the scheme's utility without requiring further IETF advancement.

Browser Implementation

Supported Browsers

The view-source URI scheme enjoys broad support in contemporary desktop web browsers as of 2025. Other Chromium-based browsers, such as Brave and Vivaldi, provide full support on desktop platforms, inheriting Chromium's implementation. Google Chrome provides full support across all versions on desktop platforms, allowing users to prepend "view-source:" to any HTTP or HTTPS URL to display the raw HTML source code. Similarly, Mozilla Firefox offers full support in all versions on desktop, rendering the source code in a dedicated view or tab. Microsoft Edge, being Chromium-based, inherits full support on desktop, while Opera from version 15 onward also fully supports the scheme due to its Chromium foundation. Safari does not support the view-source URI scheme directly in the address bar or links post-version 5; source viewing is available only via the Develop menu (after enabling it in Safari > Settings > Advanced). On mobile platforms, support is generally partial; for instance, Chrome for Android exhibits limited functionality, where entering the scheme may trigger a search dropdown instead of directly displaying source, necessitating workarounds like extensions or developer tools. Historically, the scheme originated with early browsers such as , where it was supported for viewing page source via menu options and URI prefixes. versions 4 through 6 also supported it, enabling source display when prefixed to URLs. However, support was discontinued with SP2 due to security vulnerabilities that could expose sensitive information or enable attacks, and was not available in and subsequent versions. The feature was later reintroduced in modern rendering engines like Blink () and ( derivatives), restoring widespread compatibility.
BrowserVersion RangeDesktop SupportMobile SupportPlatform Notes
All versionsFullPartialFull on Windows/macOS/; limited on Android due to UI changes.
Mozilla FirefoxAll versionsFullPartialFull on desktop; extensions recommended for Android/.
Chromium-based (79+)FullPartialInherits Chrome behavior across platforms.
5+NoneNoneSource viewing via Develop menu only; no URI scheme support on macOS/.
15+FullPartialChromium-based; similar to Chrome on Android.
Internet Explorer4–6FullN/ADropped post-Windows XP SP2 for security.
All versionsFullN/AEarly implementation via View menu and URI.

Implementation Details

When a browser encounters a view-source URI, it first parses the scheme to identify the base resource by stripping the "view-source:" prefix, then fetches the content from the underlying URI using standard network protocols. The retrieved content is processed through a specialized rendering pipeline that treats it as , preventing the execution of embedded scripts, application of CSS stylesheets, or loading of iframes to ensure a , static display. This results in the source code being rendered in a new tab or window, often with optional to aid readability. In the Blink rendering engine, used by Chrome and Edge, a dedicated handler in the BrowserURLHandlerImpl rewrites the URI and invokes WebContents::ViewSource to load the content into an HTMLViewSourceDocument. This document sets a view-source mode flag (SetIsViewSource(true)), employing an HTMLViewSourceParser that escapes HTML entities and applies basic for tags and attributes without executing any dynamic elements. Caching behavior in Blink typically involves re-fetching the resource to guarantee the freshest source, though it may leverage the browser's general HTTP cache if headers permit. The engine in handles view-source through the nsViewSourceChannel protocol, which registers the scheme and creates a channel to fetch and wrap the base content in an "application/x-view-source" type document. This integrates with developer tools for enhanced features, such as line-numbered output via generated spans (e.g., ) and CSS-based applied through viewsource.css classes like .start-tag. Scripts and external resources are explicitly disabled during parsing, and since Firefox 42, the implementation prioritizes cached content from the original load to avoid unnecessary network requests, improving efficiency for repeated views. Browsers exhibit variations in handling non-text resources; for binary files like images accessed via view-source, the content is displayed as raw bytes interpreted as text, often resulting in unreadable garbled output or, if encoded, a representation. Error responses, such as pages, are fetched and rendered similarly, showing the server's error document with line numbers and highlighting where supported. Accessibility support includes compatibility with screen readers, which treat the output as navigable , though large sources may pose performance challenges for assistive technologies due to volume.

Security Considerations

Known Vulnerabilities

In 2015, a vulnerability in (MFSA 2015-149, CVE-2015-7214) allowed cross-site reading attacks by exploiting improper handling of data: and view-source: URIs, enabling attackers to bypass the and access content from other origins. This issue was reported by security researcher Tsubasa Iinuma and resolved in 43 by enhancing URI validation to prevent such violations. Early versions of (prior to Service Pack 2) supported the view-source: scheme but exposed in ways that risked leaking sensitive data, such as through integration with external editors like for rendering. Support was subsequently removed in IE 6 SP2 and later versions as part of broader hardening measures to mitigate potential information disclosure. In , additional issues have included WebExtensions using view-source: URLs to circumvent content restrictions (MFSA 2018-06, CVE-2018-5134), allowing extensions to access restricted resources; this was fixed in 59.

Privacy Implications

The view-source URI scheme can inadvertently expose sensitive information embedded within a web page's that is not visible in the rendered view, such as keys, hardcoded credentials, or internal comments containing secrets like database queries or debugging notes. For instance, files may include unrestricted keys for services like mapping providers, which, if discovered, could enable unauthorized access and financial abuse by third parties. Additionally, comments or metadata might reveal author details, internal IP addresses, or hidden administrative paths, facilitating profiling attacks or unauthorized system entry. In shared physical environments, such as public computers or collaborative workspaces, viewing the source increases shoulder-surfing risks, where observers could capture this hidden data more easily than from the sanitized rendered page. Accessing a resource via the view-source scheme typically triggers a new HTTP request to the server, even for previously loaded pages, as browsers treat it as a fresh navigation to fetch the raw content. This refetching can result in server access logs recording the request, potentially indicating a user's specific interest in inspecting the source code, which might contribute to indirect behavioral profiling over time. However, the scheme itself does not introduce direct tracking mechanisms, such as cookies or scripts, beyond standard HTTP logging. To mitigate these privacy risks, modern browsers disable the loading and execution of external resources, such as scripts, images, or stylesheets, when displaying view-source content, thereby preventing additional data leaks or unintended network activity during inspection. For example, is not executed, and linked assets are not fetched, isolating the view to the raw document alone. Users are advised to avoid inspecting source code from untrusted sites, especially in sensitive contexts, and to rely on developer tools for safer analysis when possible.

References

  1. https://www.iana.org/assignments/uri-schemes/prov/view-source
  2. https://datatracker.ietf.org/doc/html/draft-yevstifeyev-view-source-uri-01
  3. https://www.w3.org/TR/webarch/
  4. https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/url_display_guidelines/url_display_guidelines.md
  5. https://www.rfc-editor.org/rfc/rfc3986.html#appendix-A
  6. https://www.rfc-editor.org/rfc/rfc3986.html
  7. https://stackoverflow.com/questions/28854239/displaying-source-code-of-html
  8. https://stackoverflow.com/questions/9968680/view-source-bookmarklet-retrieve-original-source
  9. https://philip.greenspun.com/panda/html
  10. https://www.w3.org/History/19921103-hypertext/hypertext/WWW/Viola/violaWWWAbout.html
  11. http://www.softlab.ntua.gr/facilities/documentation/www/Mosaic-Docs-2.4/d2-concepts.html
  12. https://www.webdesignmuseum.org/software/netscape-navigator-1-0-in-1994
  13. https://www.rfc-editor.org/rfc/rfc3986
  14. http://www.csun.edu/~csunitr/guides/composer/v4/begWIN07.html
  15. https://learn.microsoft.com/en-us/previous-versions/aa767742%28v=vs.85%29
  16. https://source.chromium.org/chromium/chromium/src/+/main:content/browser/browser_url_handler_impl.cc
  17. https://searchfox.org/mozilla-central/source/netwerk/protocol/viewsource/nsViewSourceChannel.cpp
  18. https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/document_init.cc
  19. https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/html/parser/html_view_source_parser.cc
  20. https://source.chromium.org/chromium/chromium/src/+/main:content/browser/web_contents/web_contents_impl.cc
  21. https://searchfox.org/mozilla-central/source/devtools/client/shared/view-source.js
  22. https://bugzilla.mozilla.org/show_bug.cgi?id=1202546
  23. https://stackoverflow.com/questions/71341019/browsers-view-source-can-files-be-downloaded-this-way
  24. https://groups.google.com/a/chromium.org/g/chromium-accessibility/c/wRwiEHeMAwA
  25. https://www.mozilla.org/en-US/security/advisories/mfsa2015-149/
  26. https://www.akitasecurity.nl/advisory/AK20090402/akamai_download_manager_arbitrary_file_download___execution.html
  27. https://learn.microsoft.com/en-us/previous-versions/aa767742(v=vs.85)
  28. https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/
  29. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage
  30. https://datatracker.ietf.org/doc/html/draft-yevstifeyev-view-source-uri-00
  31. https://stackoverflow.com/questions/611617/can-firefoxs-view-source-be-set-to-not-make-a-new-get-request
  32. https://superuser.com/questions/243967/is-it-possible-to-change-chromes-view-source-behaviour-to-use-the-current-reque
  33. https://security.stackexchange.com/questions/84818/does-browser-view-source-mode-avoid-scripting-attacks
Add your contribution
Related Hubs
User Avatar
No comments yet.