From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523 BuildID: 2002052316 JavaScript code can be called from a Java applet, regardless of whether or not JavaScript is disabled in Mozilla's preferences menu. This seems to apply to any JavaScript code in general, and it should also be noted that opening a window works even if "Open unrequested windows" is unchecked in Mozilla's preferences menu. The provided URL shows a demo of this exploit (if one can call it that). Reproducible: Always Steps to Reproduce: 1.Go to http://www.california.com/~binard/java/J2Js.html 2. 3. Actual Results: JavaScript code was run by the Java applet, even though JavaScript was disabled in Preferences, and new windows were popped up even though that should have been disabled as well. Expected Results: No JavaScript code should have been allowed to run, and no new windows allowed to be open.

I'm not seeing any popups or alerts. 2002052306 - win98 Though I have this feeling my java is borked...

related bug 150340

Mozilla crashes when the demo URL (http://www.california.com/~binard/java/J2Js.html) is visited. Mozilla info: Mozilla 1.2a Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2a) Gecko/20020910 Plugins info: Java Plug-in1.3.1_04 FileName: libjavaplugin_oji.so

Got it - the JSObject functions in NSCLiveConnect.cpp need to call nsIScriptSecurityManager::CanExecuteScripts. I should probably refactor some getService calls; probably cache the security manager service here. Patch coming soon.

For Netscape folks, there's a simplified testcase at http://warp.mcom.com/u/mstoltz/bugs/CallJS.html

Comment on attachment 114833 [details] [diff] [review] Patch - call CanExecuteScripts before calling from Java to JS. sr=jst

Fix checked in.