Closed Bug 288835 Opened 21 years ago Closed 19 years ago

<script type=""> trumps Content-Type header

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ian, Unassigned)

References

(
URL
)

Details

According to the specs, the type="" attribute on <script> is purely advisory, and the HTTP header takes precedence. We, however, are ignoring the HTTP header, and relying only on the attribute. This means that authors (potentially hostile authors) can cause files to be executed as script even if they are not labelled as being script. We used to have the same bug in CSS, but it was fixed. This should probably be only a standards-mode fix given the likelihood of broken MIME types that is caused by having this bug (since it means failures won't be fixed). TESTCASE: http://www.hixie.ch/tests/adhoc/http/content-type/js/001.html
If someone feels the urge to change this, it should be an alpha change. It should also come _after_ web developers have a registered MIME type they can send scripts as, imo. At the moment, they do not, which means sending them as text/plain is as good as anything else.
People use application/x-javascript, without an offician IANA type, and have for years. This is not an issue, any more than using one of the made-up-by-HTML4 types is. I implemented <script src=> for Netscape 3 and ran into the usual server admin failure to send the right type, but I believe I avoided the temptation to override the server's type with the client attribute. That may have changed over time, and in particular when Gecko was trying to compete with IE, which overrides server-sent MIME types all over the place. /be
> but I believe I avoided the temptation to override the server's type with the > client attribute. It's very very rare for the server to not send a type at all, actually... Most misconfigured servers just send text/plain. The technical changes to the scriptloader to make this work are very straightforward if people do want to try it in 1.9a.
Apache seems to default .js files to application/x-javascript, as far as I can tell from looking at their source tree (docs/conf/mime.types).
That wouldn't be a misconfigured server then, would it? ;)
HTML5 is going to say you ignore the server for <script>.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.