What is the issue with the HTML Standard?

Test case: https://domenic.github.io/scratchpad/refresh-to-javascript-url/

Chrome and Safari prints a console message:

Refused to refresh https://domenic.github.io/scratchpad/refresh-to-javascript-url/ to a javascript: URL

Firefox doesn't print anything, but it also refuses to execute the script.

The spec seems to allow this without any special guard. We should spec that it's disallowed, and capture that behavior in WPTs.

I haven't tested the HTTP header version but Chromium also has a non-WPT test that expects such cases to be blocked as well.

The Chromium behavior seems to predate the WebKit fork, or perhaps be shortly after it. The CL claims "This behaviour has been standard in IE since IE7. This makes us both more compatible and less vulnerable to XSS." It links to this Chromium bug, which in turn links to this Gecko (?) bug.