Menu
The page you are viewing right now has the HTTP header element of Content-type: text/html. HTML displayed normally and JavaScript will be executed. If you have a Content-Type: text/javascript then the JavaScript is not executed, it is only displayed.
My question is: Are there content-type's other than text/html that will execute JavaScript? I wold like as complete of a list as possible for any common browser (IE,Firefox,Chrome,Safari).
316
The source code is passed through a program called a compiler, which translates it into bytecode that the machine understands and can execute. In contrast, JavaScript has no compilation step. Instead, an interpreter in the browser reads over the JavaScript code, interprets each line, and runs it.
Today, JavaScript can execute not only in the browser, but also on the server, or actually on any device that has a special program called the JavaScript engine. The browser has an embedded engine sometimes called a “JavaScript virtual machine”.
this is the right answer in 2019. Node.
In-browser JavaScript can do everything related to webpage manipulation, interaction with the user, and the webserver. For instance, in-browser JavaScript is able to: Add new HTML to the page, change the existing content, modify styles. React to user actions, run on mouse clicks, pointer movements, key presses.
I don't know of a full list, and it may well be that no such list exists publicly. You may have to find out for yourself. (Although I don't think anything speaks against setting up a test page with a number of iframes, and asking the SO community to provide data with their respective browsers. It's been done before.)
In Internet Explorer, this one should definitely be on the list:
application/hta for Hypertext Applications
Candidates that I would test for (because it's conceivable a careless programmer might activate them for HTML parsing) include:
application/form-datatext/xhtml+xml (used to be proposed in 2000, no idea what happened to that)However, I tested those with both Chrome 9 and the latest Firefox, and they reject everything except text/html. Firefox shows them as downloadable resources instead, which I think eliminates them from your equation as any JS therein will be executed in the local context rather than the URL's. (IE is executing everything including text/plain for me, but I think that is a header mixup with my server.)
If you want to go for hard-core sure for the Open Source browsers, check their source code or ask on their mailing lists/forums. I have a feeling the good ones have text/html hard-coded.
Edit: Arrgh! Firefox, Chrome and IE parse HTML, and execute scripts, regardless of content type - I successfully managed to set Content-type: text/poppycock - when the resource's extension is .htm or .html. That means that you have to test not only for MIME types, but for file extensions (which should not play any role in HTTP) as well. Didn't know that - this was probably introduced to fix the output of broken web servers. Stuff like this is why I don't work in IT security :)
All tests made on Windows 7.
132
application/xhtml+xml would have to execute Javascript. That's the only one I can think of at the top of my head.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
