Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 100924 - META HTTP-Equiv Content-Script-Type does not set default scripting language for inline scripting
: META HTTP-Equiv Content-Script-Type does not set default scripting language f...
: html4, testcase
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: All All
: P4 normal with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Jet Villegas (:jet)
: 354630 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2001-09-21 04:13 PDT by Keith Bowes
Modified: 2011-09-22 04:13 PDT (History)
17 users (show)
Ms2ger: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Testcase with vbscript (425 bytes, text/html)
2001-09-21 11:50 PDT, Christopher Hoess (gone)
no flags Details
Content-Style-Type works, but Content-Script-Type doesn't (581 bytes, text/html)
2001-09-22 09:29 PDT, Keith Bowes
no flags Details
proof-of-concept patch (4.14 KB, patch)
2002-12-12 08:42 PST, Harshal Pradhan
no flags Details | Diff | Splinter Review

Description Keith Bowes 2001-09-21 04:13:53 PDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9.4+) Gecko/20010919
BuildID:    2001091903

Content-Script-Type does not set the defualt scripting language, as specified in
HTML 4.  Since VBScipt is unsupported in Mozilla the OnClick event in the
following example should be ignored in accordance with the HTML 4.01
Specification chapter 18.2.2.

Reproducible: Always
Steps to Reproduce:
1.  Copy Example into new HTML Document.
2.  Open new Document in Mozilla.
3.  Click on SPAN tag.

Actual Results:  Mozilla jumps to

Expected Results:  Mozilla should ignore the OnClick event because the default
scripting language is not supported.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<HTML lang="en-US">
    <TITLE>Test 1</TITLE>
    <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <META http-equiv="Content-Script-Type" content="text/vbscript">
    <SPAN onclick='location.href=""'>Go to</A>
Comment 1 Christopher Hoess (gone) 2001-09-21 11:50:33 PDT
Created attachment 50281 [details]
Testcase with vbscript
Comment 2 Christopher Hoess (gone) 2001-09-21 11:51:53 PDT
Reporter: do you have access to a webserver that sends the real
Content-Script-Type HTTP header?  Does that work?
Comment 3 Kevin Bowes 2001-09-22 04:47:35 PDT
With my personal webserver I added 'Content-Script-Type: text/vbscript' to the
headers and sent it Mozilla, the result was the same as with the META tag, the
scripting was not ignored.
Comment 4 Keith Bowes 2001-09-22 09:25:10 PDT
Even if the real Content-Script-Type HTTP header did work, the HTML 4.01
Specification states the Content-Script-Type META element takes precedence over
the HTTP header; hence, by only supporting the header, Mozilla would still be in
violation of the standard.

Also, the similar Content-Style-Type META element for setting the default
styling languages does work.
Comment 5 Keith Bowes 2001-09-22 09:29:22 PDT
Created attachment 50386 [details]
Content-Style-Type works, but Content-Script-Type doesn't
Comment 6 Christopher Hoess (gone) 2001-10-02 19:25:50 PDT
Yuck.  It doesn't look like this was ever implemented, except for a mention in
nsHTMLAtomList.h.  Tenatively sending this to DOM Core; whoever receives it,
please reassign promptly if it isn't yours, this is a rather serious issue.
Comment 7 Asa Dotzler [:asa] 2001-12-03 10:36:04 PST
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 
(you can query for this string to delete spam or retrieve the list of bugs I've 
Comment 8 Fabian Guisset 2002-02-09 05:29:00 PST
Need more info for this one. Is it widely used? Are there any real-world sites
affected by this? Given that the fix is quite involved (from what I saw in LXR),
putting P4 and severity to normal. If you disagree please speak up and we will
Comment 9 Keith Bowes 2002-03-31 16:24:46 PST
This isn't used much yet; however it is in the HTML 4 standard, hence it is a
major omission.
Comment 10 Harshal Pradhan 2002-12-12 08:41:14 PST
reference from the spec

I think I have a patch for this. 
Comment 11 Harshal Pradhan 2002-12-12 08:42:23 PST
Created attachment 109128 [details] [diff] [review]
proof-of-concept patch

This really shouldnt be all that difficult. Something like the above patch
should work. Right? Or am I missing something?
Comment 12 Harshal Pradhan 2002-12-15 04:31:10 PST
Comment on attachment 109128 [details] [diff] [review]
proof-of-concept patch

jst, can you please look at this and let me know if this makes sense at all.
Comment 13 Harshal Pradhan 2002-12-16 00:58:59 PST
Comment on attachment 109128 [details] [diff] [review]
proof-of-concept patch

This has some more issues. Removing review request.
Comment 14 Johnny Stenback (:jst, 2003-03-23 13:23:27 PST
Mass-reassigning bugs to
Comment 15 Hixie (not reading bugmail) 2005-04-03 06:34:48 PDT
Brendan: We probably want to implement this for being able to use E4X in event
handler attributes.
Comment 16 Mike Plusch, Clear Methods 2007-05-15 13:11:19 PDT
Clear Methods needs/wants to make Water ( an alternative 
client-side language.  Until this bug is fixed, we won't be able to make Water work
with Mozilla/FireFox, which limits innovation in client-side languages that work
with XHTML.  Internet Explorer correctly implements Content-Script-Type which allows IE to
support other scripting languages.
I would like to offer $1,000.00 USD to have this bug/feature fixed.  Please contact
me if you are interested in helping me fix this bug.  
I am interested in finding others who also need to support client-side languages 
other than JavaScript, so we can raise the priority of this bug being fixed.
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2007-05-15 14:04:06 PDT
*** Bug 354630 has been marked as a duplicate of this bug. ***
Comment 18 :aceman 2011-09-22 01:02:40 PDT
This problem still exists in Firefox 9. Is there an updated patch?
However, I am not sure this is part of HTML5. I could not find it in the list of defined http-equiv constants (but content-style-type is also not there).
And also the <script> element "type" attribute specifies: 'The default, which is used if the attribute is absent, is "text/javascript".'. Yes, the testcase does not use <script>, but it may be relevant.
Comment 19 Masatoshi Kimura [:emk] 2011-09-22 01:19:41 PDT
HTML5 doesn't allow placing Content-Script-Type in the header.
Comment 20 :aceman 2011-09-22 01:54:17 PDT
Then how is the script language determined in the example?
Comment 21 Masatoshi Kimura [:emk] 2011-09-22 03:17:49 PDT
It's always JavaScript.
> Event handler content attributes, when specified, must contain valid JavaScript code which, when parsed, would match the FunctionBody production after automatic semicolon insertion. [ECMA262]
Comment 22 :Ms2ger (⌚ UTC+1/+2) 2011-09-22 03:56:06 PDT

Note You need to log in before you can comment on or make changes to this bug.