[kozhevnikov]

Encouraged? No, but data urls are heavily sandboxed, e.g. can't even access own cookies.

[katsura]

Although, this is not a data URL per se, but just pasting it in the URL bar allows you to do pretty much anything:

    javascript:alert(document.cookie)

[tlamponi]

My Firefox here does not allows that.

1. It strips the JavaScript: part away if I just paste it once

2. Even if I re-add it manually, it still does no alert

Ergo, a sane browser can be quite sandboxed to avoid the average user to do stupid to easily.

[myfonj]

Yup. javascript: URL (either pasted or typed into URL bar) are long gone as self-xss precaution. The only way you can run javascript: URL is bookmarking it and invoking resulting bookmarklet. And AFAIK there is no way to re-enable it again. You have to start web developers console to rund ad-hoc JavaScript code in pages' context. (I see this as an end of glorious era of "you can do pretty much anything in URL bar".)