User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 It is possible to bypass Firefox's protection against pop-up windows via a Java applet, as the demonstrating URL indicates. Reproducible: Always Steps to Reproduce: 1. Make sure Java is enabled. 2. Go to the site. Actual Results: Hundreds of pop-ups, followed by Firefox crashing. Expected Results: No pop-ups. Since, you know, I have them turned off.

confirming, this occurs for me when using 2004-07-27 (firefox, aviary1.0 branch) bits on linux fedora core 1 and mac 10.3.4. would this be feasible to fix (ie, block unwanted popups issued via Java)?

Probably the exact same thing as bug 176079. I'll mark this bug dependent for now.

No, these bugs are not dependent. Here we have normal Java windows, not Mozilla windows. I think, this problem has to be be solved (if at all) by means of Java's SecurityManager - in the plugin itself.

This is a valid bug. I just wanted to mention that stopping Java opening popup windows altogether would seriously impact sites (mainly intranets) that use real-work Java applets. These often have quite complex UI including popup dialogs. So I hope nobody would be tempted to implement that hack. :) If a change is implemented, suggest making it stop Java opening popups in a similar manner to the HTML technique i.e. Java applets can open popups as much as they like once somebody has clicked on or focused the applet. This would prevent malicious applets opening popups onload. I suspect this would be difficult to implement without co-ordination with the Java 1.5 developers, but I don't know...

IMO it is more a duplicate as an dependency. Bug 150340 is for plugins in general.

fyi: the demo from "URL" field (http://66.195.18.30/5000000fucks.html) is now 404 :(

When opening a map from map24.de inside a tab, a java applet is loaded. This applet is also displayed within other tabs when one scrolls them, and the tab receives at least mouse events. Because this applet doesn't have window borders, one cannot distinguish it easily form the other tab's contents. I fear that this can be used for "bad things". Version: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0

(In reply to comment #7) What you describe is a bug of course but it has nothing to do with the issue discussed here. Please use the search to find a bug dealing with your problem, I'm pretty sure there is one already.

Was this fixed with bug 176079 / http://weblogs.mozillazine.org/jst/archives/2005/06/killing_more_po.html?

No, these is a very different issue. As already noted in comment 3, the demo was demonstrating an Java applet opening Java windows, not browser windows. This can only be solved by adjusting the security policy of the applet. The demo is gone, I'm attaching another applet demonstrating the same thing.

Enter some number into the input field and click "Open" - the applet will open the required number of windows.