Top-level navigation to data URLs has been blocked in Chrome, Firefox (with some exceptions), IE, and Edge (and likely other browsers to boot). They are apparently commonly used for phishing attacks, and major browser vendors decided that the danger outweighed the value provided by legitimate use cases.
This Mozilla security blog post explains that Firefox will block
- Web page navigating to a new top-level data URL document using:
window.open("https://stackoverflow.com/questions/11965087/data:…");window.location = "https://stackoverflow.com/questions/11965087/data:…"- clicking
<a href="https://stackoverflow.com/questions/11965087/data:…">(including ctrl+click, ‘open-link-in-*’, etc).- Web page redirecting to a new top-level data URL document using:
- 302 redirects to
"https://stackoverflow.com/questions/11965087/data:…"- meta refresh to
"https://stackoverflow.com/questions/11965087/data:…"- External applications (e.g., ThunderBird) opening a data URL in the browser
but will not block
- User explicitly entering/pasting
"https://stackoverflow.com/questions/11965087/data:…"into the address bar- Opening all plain text data files
- Opening
"data:image/*"in top-level window, unless it’s"data:image/svg+xml"- Opening
"data:application/pdf"and"data:application/json"- Downloading a data: URL, e.g. ‘save-link-as’ of
"https://stackoverflow.com/questions/11965087/data:…"
You can also read the proposal to deprecate and remove top-frame navigation to data URLs in Chrome and view the current Chrome status indicating that is has been removed.
As for how to actually open HTML in a new tab or window, this should be sufficient:
var tab = window.open('about:blank', '_blank');
tab.document.write(html); // where 'html' is a variable containing your HTML
tab.document.close(); // to finish loading the page
Note that at least in Chrome, external scripts injected via document.write might not be loaded on slower connections. That might not be relevant here, but something to watch out for.