The page you are viewing right now has the HTTP header element of Content-type: text/html. HTML displayed normally and JavaScript will be executed. If you have a Content-Type: text/javascript then the JavaScript is not executed, it is only displayed.
My question is: Are there content-type's other than text/html that will execute JavaScript? I wold like as complete of a list as possible for any common browser (IE,Firefox,Chrome,Safari).
I don't know of a full list, and it may well be that no such list exists publicly. You may have to find out for yourself. (Although I don't think anything speaks against setting up a test page with a number of iframes, and asking the SO community to provide data with their respective browsers. It's been done before.)
In Internet Explorer, this one should definitely be on the list:
application/hta for Hypertext ApplicationsCandidates that I would test for (because it's conceivable a careless programmer might activate them for HTML parsing) include:
application/form-datatext/xhtml+xml (used to be proposed in 2000, no idea what happened to that)However, I tested those with both Chrome 9 and the latest Firefox, and they reject everything except text/html. Firefox shows them as downloadable resources instead, which I think eliminates them from your equation as any JS therein will be executed in the local context rather than the URL's. (IE is executing everything including text/plain for me, but I think that is a header mixup with my server.)
If you want to go for hard-core sure for the Open Source browsers, check their source code or ask on their mailing lists/forums. I have a feeling the good ones have text/html hard-coded.
Edit: Arrgh! Firefox, Chrome and IE parse HTML, and execute scripts, regardless of content type - I successfully managed to set Content-type: text/poppycock - when the resource's extension is .htm or .html. That means that you have to test not only for MIME types, but for file extensions (which should not play any role in HTTP) as well. Didn't know that - this was probably introduced to fix the output of broken web servers. Stuff like this is why I don't work in IT security :)
All tests made on Windows 7.
Content-Type is unrecognized browsers may resort to MIME-sniffing: mimesniff.spec.whatwg.orgapplication/xhtml+xml would have to execute Javascript. That's the only one I can think of at the top of my head.
This wouldn't be very useful. Javascript has no way to import other scripts, so your script would be isolated from libraries. The only way to tie them together is through HTML. Also, the input/output options are very limited without a document.
PDF files can also execute javascript (application/pdf).
Aswell as XML documents (application/xml), including SVG (image/svg+xml), for example:
<?xml version="1.0" encoding="utf-8"?>
<document>
<script xmlns="http://www.w3.org/1999/xhtml" src="xml.js"></script>
</document>
Have you tried application/javascript?
