In theory, the data URL approach sounds perfect.
But in reality we'd be swapping this:
<script>alert('hello');</script>
For this:
<script src="data:text/javascript;charset=utf-8,alert('hello');" />
As you mentioned, it's likely that at least on browser won't support this
(I'm looking at you IE!). As I said, I'm not sure it actually achieves
anything in terms of security (apart from ticking a box).
