"data:" URIs interpret "text/javascript" as "text/plain"

RESOLVED INVALID

Status

()

Firefox
General
RESOLVED INVALID
12 years ago
12 years ago

People

(Reporter: bugzilla2005, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050923 Firefox/1.0.7

Using "data:" for "text/javascript" does not seem to work; the content is displayed as plain text instead of being exectued. But "data:text/javascript," would be a nice alternative to the "javascript:" URI scheme, since the latter was never officially registered with the IANA.

And at least the IETF draft (June 6, 2005) on Scripting Media Types [1] suggests in its Security Consideration section that "text/javascript" data ought to be executed:

   The "data" resource identifier scheme [RFC2397] in combination with
   the types defined in this document could be used to cause execution
   of untrusted scripts through the inclusion of untrusted resource
   identifiers in otherwise trusted content.  Security considerations of
   [RFC2397] apply.

Of course supporting "data:text/javascript," has security implications, but those are exactly the same as for "javascript:" URIs...

[1] <http://www.ietf.org/internet-drafts/draft-hoehrmann-script-types-03.txt>

Reproducible: Always

Steps to Reproduce:
1. Request "data:text/javascript,alert("Test");"
Actual Results:  
The text "Test" is displayed.

Expected Results:  
An alert box saying "Test" should pop up.
No, that's not how it works.  data: tries to load a file as if it were of that content-type, as a web page.  This is like loading a .js file directly into the browser, instead of as a script belonging to a HTML document.

INVALID.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.