"For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however."
Sounds smart. It's extremely easy to get an unsophisticated user (heck, any user who isn't a web developer) to paste a random string of junk in to their URL bar - and doing so is a very nasty XSS vector that works no matter what precautions a site's developers have taken.
I'm sure I've heard of this attack being used successfully on Facebook, spread through messages that say "paste this in to your URL bar to get X".
Right. Apparently this "security" feature came about because people followed instructions on random facebook pages saying "paste this in your address bar to activate $RANDOM_FAKE_FACEBOOK_FEATURE".
You can still run Javascript via the Scratchpad (Web Developer -> Scratchpad, or hit Shift-F4).
Yeah, I caught this hanging out at the bottom of the list too... Immediately set to thinking how I'm gonna have to go rewrite the dozen or so bookmarklets I've written to support FF6
Good bye bookmarklets?