(NoScript notification)javascript: and data: URIs typed or pasted in the address bar are disabled to prevent social engineering attacks.
Developers can enable them for testing purposes by toggling the "noscript.allowURLBarJS" preference.
1) Could you please explain to me the danger in allowing data URIs to be typed/pasted into the address bar? How is this more of a concern than a hyperlink containing the same data: URI (which NoScript does not block)? Is the danger resolved by the following?:
(https://developer.mozilla.org/en-US/doc ... s#Security)Security
Note: Prior to Gecko 6.0, data URIs inherited the security context of the page currently in the browser window if the user enters a data URI into the location bar. Now data URIs get a new, empty, security context.
2) If the security issue is not resolved by the changes in Gecko 6.0 ... I noticed that the NoScript error message about this comes up even if the data: URI is neither typed nor pasted ... in the case where the data: URI is bookmarked and the user types the bookmark name into the URL bar and then selects that bookmark -- it seems that either NoScript should allow this through, or should update the error message wording to match this behavior.