313893 - "data:" URIs interpret "text/javascript" as "text/plain"

Status: RESOLVED INVALID

(Firefox :: General, defect)

Description

[bugzilla2005]

User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7

Using "data:" for "text/javascript" does not seem to work; the content is displayed as plain text instead of being exectued. But "data:text/javascript," would be a nice alternative to the "javascript:" URI scheme, since the latter was never officially registered with the IANA.

And at least the IETF draft (June 6, 2005) on Scripting Media Types [1] suggests in its Security Consideration section that "text/javascript" data ought to be executed:

   The "data" resource identifier scheme [RFC2397] in combination with
   the types defined in this document could be used to cause execution
   of untrusted scripts through the inclusion of untrusted resource
   identifiers in otherwise trusted content.  Security considerations of
   [RFC2397] apply.

Of course supporting "data:text/javascript," has security implications, but those are exactly the same as for "javascript:" URIs...

[1] <http://www.ietf.org/internet-drafts/draft-hoehrmann-script-types-03.txt>

Reproducible: Always

Steps to Reproduce:
1. Request "data:text/javascript,alert("Test");"
Actual Results:  
The text "Test" is displayed.

Expected Results:  
An alert box saying "Test" should pop up.

Comment 1

[Alex Vincent [:WeirdAl]]

No, that's not how it works.  data: tries to load a file as if it were of that content-type, as a web page.  This is like loading a .js file directly into the browser, instead of as a script belonging to a HTML document.

INVALID.