diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index 0386ca9353fc..cb1070018441 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -4132,8 +4132,11 @@ var contentAreaDNDObserver = {
     {
       var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType);
 
-      // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out
-      if (!url || !url.length || url.indexOf(" ", 0) != -1) 
+      // valid urls don't contain spaces ' '; if we have a space it
+      // isn't a valid url, or if it's a javascript: or data: url,
+      // bail out
+      if (!url || !url.length || url.indexOf(" ", 0) != -1 ||
+          /^\s*(javascript|data):/.test(url))
         return;
 
       switch (document.firstChild.getAttribute('windowtype')) {
diff --git a/xpfe/communicator/resources/content/contentAreaDD.js b/xpfe/communicator/resources/content/contentAreaDD.js
index a741aacecd8f..7ecd499267b2 100644
--- a/xpfe/communicator/resources/content/contentAreaDD.js
+++ b/xpfe/communicator/resources/content/contentAreaDD.js
@@ -53,8 +53,11 @@ var contentAreaDNDObserver = {
     {
       var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType);
 
-      // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out
-      if (!url || !url.length || url.indexOf(" ", 0) != -1) 
+      // valid urls don't contain spaces ' '; if we have a space it
+      // isn't a valid url, or if it's a javascript: or data: url,
+      // bail out
+      if (!url || !url.length || url.indexOf(" ", 0) != -1 ||
+          /^\s*(javascript|data):/.test(url))
         return;
 
       switch (document.firstChild.getAttribute('windowtype')) {