You sniff MIME / assume HTML on what?

Just a delicious and completely unnecessary vector for phishing. The most convincing version of this is for Firefox, thanks to Unicode homographs (YMMV, but here's a reference rendering); Opera comes second, and the MSIE variant (using a different approach) is barely of any interest.

Safari and Chrome avoid the problem by not doing MIME sniffing or presuming HTML on data: URLs (and by subsequently giving them a unique origin). The MSIE variant is prevented in said browsers by not showing javascript:"..." URLs in the address bar.

PS. If you combine this with my earlier PoC to seamlessly replace http://www.trustedsite.com with data://www.trustedsite.com, things get slightly more interesting.