Bugzilla – Bug 186
Rework the <script> element's semantics to allow it to be abused, er, used, for smuggling proprietary data.
Last modified: 2008-05-22 14:54:24 CEST
Index: source =================================================================== --- source (revision 1610) +++ source (revision 1611) @@ -20427,38 +20427,50 @@ </dl> <p>The <code>script</code> element allows authors to include dynamic - script in their documents.</p> + script and script data in their documents.</p> - <p>When the <dfn title="attr-script-src"><code>src</code></dfn> - attribute is set, the <code>script</code> element refers to an - external file. The value of the attribute must be a URI (or - IRI).</p> - - <p>If the <code title="attr-script-src">src</code> attribute is not - set, then the script is given by the contents of the element.</p> - - <p>The language of the script may be given by the <dfn - title="attr-script-type"><code>type</code></dfn> attribute. If the - attribute is present, its value must be a valid MIME type, - optionally with parameters. The <code title="">charset</code> - parameter must not be specified. <a + <p>When used to include dynamic scripts, the scripts may either be + embedded inline or may be imported from an external file using the + <code title="attr-script-src">src</code> attribute. If the language + is not that described by "<code title="">text/javascript</code>", + then the type of the script's language must be given using the <code + title="attr-script-type">type</code> attribute.</p> + + <p>When used to include script data, the script data must be + embedded inline, the format of the data must be given using the + <code title="attr-script-type">type</code> attribute, and the <code + title="attr-script-src">src</code> attribute must not be + specified.</p> + + <p>The <dfn title="attr-script-type"><code>type</code></dfn> + attribute gives the language of the script or format of the script + data. If the attribute is present, its value must be a valid MIME + type, optionally with parameters. The <code title="">charset</code> + parameter must not be specified. (The default, which is used if the + attribute is absent, is "<code title="">text/javascript</code>".) <a href="#refsRFC2046">[RFC2046]</a></p> - <p class="note">If the <code title="attr-script-type">type</code> - attribute is omitted, the value <code - title="">text/javascript</code> will be assumed.</p> + <p>The <dfn title="attr-script-src"><code>src</code></dfn> + attribute, if specified, gives the address of the external script + resource to use. The value of the attribute must be a URI (or IRI) + to a script resource of the type given by the <code + title="attr-script-type">type</code> attribute, if the attribute is + present, or of the type "<code title="">text/javascript</code>", if + the attribute is absent.</p> <p>The <dfn title="attr-script-charset"><code>charset</code></dfn> - attribute gives the character encoding of the external file. The - attribute must not be specified if the <code + attribute gives the character encoding of the external script + resource. The attribute must not be specified if the <code title="attr-script-src">src</code> attribute is not present. If the attribute is set, its value must be a valid character encoding name, - and must be the preferred name for that encoding. <a + and must be the preferred name for that encoding. <a href="#refsIANACHARSET">[IANACHARSET]</a></p> - <p class="note">If the <code - title="attr-script-charset">charset</code> attribute is omitted, the - character encoding of the document will be used.</p> + <p>The encoding specified must be the encoding used by the script + resource. If the <code title="attr-script-charset">charset</code> + attribute is omitted, the character encoding of the document will be + used. If the script resource uses a different encoding than the + document, then the attribute must be specified.</p> <p>The <dfn title="attr-script-async"><code>async</code></dfn> and <dfn title="attr-script-defer"><code>defer</code></dfn> attributes
Not actionable.