Closed
Bug 313893
Opened 19 years ago
Closed 19 years ago
"data:" URIs interpret "text/javascript" as "text/plain"
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: bugzilla2005, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7 Using "data:" for "text/javascript" does not seem to work; the content is displayed as plain text instead of being exectued. But "data:text/javascript," would be a nice alternative to the "javascript:" URI scheme, since the latter was never officially registered with the IANA. And at least the IETF draft (June 6, 2005) on Scripting Media Types [1] suggests in its Security Consideration section that "text/javascript" data ought to be executed: The "data" resource identifier scheme [RFC2397] in combination with the types defined in this document could be used to cause execution of untrusted scripts through the inclusion of untrusted resource identifiers in otherwise trusted content. Security considerations of [RFC2397] apply. Of course supporting "data:text/javascript," has security implications, but those are exactly the same as for "javascript:" URIs... [1] <http://www.ietf.org/internet-drafts/draft-hoehrmann-script-types-03.txt> Reproducible: Always Steps to Reproduce: 1. Request "data:text/javascript,alert("Test");" Actual Results: The text "Test" is displayed. Expected Results: An alert box saying "Test" should pop up.
Comment 1•19 years ago
|
||
No, that's not how it works. data: tries to load a file as if it were of that content-type, as a web page. This is like loading a .js file directly into the browser, instead of as a script belonging to a HTML document. INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•