META HTTP-Equiv Content-Script-Type does not set default scripting language for inline scripting

VERIFIED INVALID

Status

()

Core
DOM: Core & HTML
P4
normal
VERIFIED INVALID
16 years ago
6 years ago

People

(Reporter: Keith Bowes, Unassigned)

Tracking

({html4, testcase})

Trunk
html4, testcase
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9.4+) Gecko/20010919
BuildID:    2001091903

Content-Script-Type does not set the defualt scripting language, as specified in
HTML 4.  Since VBScipt is unsupported in Mozilla the OnClick event in the
following example should be ignored in accordance with the HTML 4.01
Specification chapter 18.2.2.

Reproducible: Always
Steps to Reproduce:
1.  Copy Example into new HTML Document.
2.  Open new Document in Mozilla.
3.  Click on SPAN tag.


Actual Results:  Mozilla jumps to Mozilla.org.

Expected Results:  Mozilla should ignore the OnClick event because the default
scripting language is not supported.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html/loose.dtd">
<HTML lang="en-US">
  <HEAD>
    <TITLE>Test 1</TITLE>
    <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <META http-equiv="Content-Script-Type" content="text/vbscript">
  </HEAD>
  <BODY>
    <SPAN onclick='location.href="http://www.mozilla.org"'>Go to Mozilla.org</A>
  </BODY>
</HTML>

Updated

16 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Created attachment 50281 [details]
Testcase with vbscript
Reporter: do you have access to a webserver that sends the real
Content-Script-Type HTTP header?  Does that work?
Keywords: testcase
OS: Windows ME → All

Comment 3

16 years ago
With my personal webserver I added 'Content-Script-Type: text/vbscript' to the
headers and sent it Mozilla, the result was the same as with the META tag, the
scripting was not ignored.
(Reporter)

Comment 4

16 years ago
Even if the real Content-Script-Type HTTP header did work, the HTML 4.01
Specification states the Content-Script-Type META element takes precedence over
the HTTP header; hence, by only supporting the header, Mozilla would still be in
violation of the standard.

Also, the similar Content-Style-Type META element for setting the default
styling languages does work.
(Reporter)

Comment 5

16 years ago
Created attachment 50386 [details]
Content-Style-Type works, but Content-Script-Type doesn't

Updated

16 years ago
QA Contact: bsharma → moied

Updated

16 years ago
Priority: -- → P3
Target Milestone: --- → mozilla1.0
Yuck.  It doesn't look like this was ever implemented, except for a mention in
nsHTMLAtomList.h.  Tenatively sending this to DOM Core; whoever receives it,
please reassign promptly if it isn't yours, this is a rather serious issue.
Assignee: harishd → jst
Component: Parser → DOM Core
QA Contact: moied → stummala

Comment 7

16 years ago
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 
(you can query for this string to delete spam or retrieve the list of bugs I've 
moved)
Target Milestone: mozilla1.0 → mozilla1.0.1

Comment 8

16 years ago
Need more info for this one. Is it widely used? Are there any real-world sites
affected by this? Given that the fix is quite involved (from what I saw in LXR),
putting P4 and severity to normal. If you disagree please speak up and we will
reconsider.
Severity: major → normal
Priority: P3 → P4
(Reporter)

Comment 9

16 years ago
This isn't used much yet; however it is in the HTML 4 standard, hence it is a
major omission.

Updated

15 years ago
Target Milestone: mozilla1.0.1 → ---

Comment 10

15 years ago
reference from the spec
http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.2

I think I have a patch for this. 

Comment 11

15 years ago
Created attachment 109128 [details] [diff] [review]
proof-of-concept patch

This really shouldnt be all that difficult. Something like the above patch
should work. Right? Or am I missing something?

Comment 12

15 years ago
Comment on attachment 109128 [details] [diff] [review]
proof-of-concept patch

jst, can you please look at this and let me know if this makes sense at all.
Attachment #109128 - Flags: review?(jst)

Comment 13

15 years ago
Comment on attachment 109128 [details] [diff] [review]
proof-of-concept patch

This has some more issues. Removing review request.
Attachment #109128 - Attachment is obsolete: true
Attachment #109128 - Flags: review?(jst)
Mass-reassigning bugs to dom_bugs@netscape.com
Assignee: jst → dom_bugs
Brendan: We probably want to implement this for being able to use E4X in event
handler attributes.
QA Contact: stummala → ian
Clear Methods needs/wants to make Water (www.waterlanguage.org) an alternative 
client-side language.  Until this bug is fixed, we won't be able to make Water work
with Mozilla/FireFox, which limits innovation in client-side languages that work
with XHTML.  Internet Explorer correctly implements Content-Script-Type which allows IE to
support other scripting languages.
I would like to offer $1,000.00 USD to have this bug/feature fixed.  Please contact
me if you are interested in helping me fix this bug.  
I am interested in finding others who also need to support client-side languages 
other than JavaScript, so we can raise the priority of this bug being fixed.

Updated

10 years ago
Duplicate of this bug: 354630

Updated

9 years ago
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general

Comment 18

6 years ago
This problem still exists in Firefox 9. Is there an updated patch?
However, I am not sure this is part of HTML5. I could not find it in the list of defined http-equiv constants (but content-style-type is also not there).
And also the <script> element "type" attribute specifies: 'The default, which is used if the attribute is absent, is "text/javascript".'. Yes, the testcase does not use <script>, but it may be relevant.
Keywords: html4
HTML5 doesn't allow placing Content-Script-Type in the header.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID

Comment 20

6 years ago
Then how is the script language determined in the example?
It's always JavaScript.
http://dev.w3.org/html5/spec-author-view/webappapis.html#event-handler-content-attributes
> Event handler content attributes, when specified, must contain valid JavaScript code which, when parsed, would match the FunctionBody production after automatic semicolon insertion. [ECMA262]
Exactly.
Assignee: general → nobody
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Hardware: x86 → All
You need to log in before you can comment on or make changes to this bug.