Closed Bug 288835 Opened 20 years ago Closed 19 years ago

<script type=""> trumps Content-Type header

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ian, Unassigned)

References

(
URL
)

Details

According to the specs, the type="" attribute on <script> is purely advisory,
and the HTTP header takes precedence.

We, however, are ignoring the HTTP header, and relying only on the attribute.

This means that authors (potentially hostile authors) can cause files to be
executed as script even if they are not labelled as being script.

We used to have the same bug in CSS, but it was fixed. This should probably be
only a standards-mode fix given the likelihood of broken MIME types that is
caused by having this bug (since it means failures won't be fixed).

TESTCASE: http://www.hixie.ch/tests/adhoc/http/content-type/js/001.html
If someone feels the urge to change this, it should be an alpha change.  It
should also come _after_ web developers have a registered MIME type they can
send scripts as, imo.  At the moment, they do not, which means sending them as
text/plain is as good as anything else.
People use application/x-javascript, without an offician IANA type, and have for
years.  This is not an issue, any more than using one of the made-up-by-HTML4
types is.

I implemented <script src=> for Netscape 3 and ran into the usual server admin
failure to send the right type, but I believe I avoided the temptation to
override the server's type with the client attribute.  That may have changed
over time, and in particular when Gecko was trying to compete with IE, which
overrides server-sent MIME types all over the place.

/be
> but I believe I avoided the temptation to override the server's type with the
> client attribute. 

It's very very rare for the server to not send a type at all, actually...  Most
misconfigured servers just send text/plain.

The technical changes to the scriptloader to make this work are very
straightforward if people do want to try it in 1.9a.
Apache seems to default .js files to application/x-javascript, as far as I can
tell from looking at their source tree (docs/conf/mime.types).
That wouldn't be a misconfigured server then, would it?  ;)
HTML5 is going to say you ignore the server for <script>.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.