Developers can enable them for testing purposes by toggling the "noscript.allowURLBarJS" preference.
1) Could you please explain to me the danger in allowing data URIs to be typed/pasted into the address bar? How is this more of a concern than a hyperlink containing the same data: URI (which NoScript does not block)? Is the danger resolved by the following?:
Note: Prior to Gecko 6.0, data URIs inherited the security context of the page currently in the browser window if the user enters a data URI into the location bar. Now data URIs get a new, empty, security context.
2) If the security issue is not resolved by the changes in Gecko 6.0 ... I noticed that the NoScript error message about this comes up even if the data: URI is neither typed nor pasted ... in the case where the data: URI is bookmarked and the user types the bookmark name into the URL bar and then selects that bookmark -- it seems that either NoScript should allow this through, or should update the error message wording to match this behavior.