Safari and Chrome avoid the problem by not doing MIME sniffing or
presuming HTML on
data: URLs (and by subsequently giving them a unique origin). The MSIE variant is
prevented in said browsers by not showing
PS. If you combine this with my earlier PoC to seamlessly replace http://www.trustedsite.com with data://www.trustedsite.com, things get slightly more interesting.