User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Recently I have been making a research and visited a lot of websites in different tabs. Suddenly firefox began jumping on the screen infinitly, I began checking each windows until I found this: {script type="text/javascript"} window.onerror = function() {return true;}; setInterval(function(){ moveBy(1,-1); },10) setInterval(function(){ moveBy(-1,1); },11) {/script} Now I realized how SAD it is that 1 website out of 30 open website tabs is almost making a denial of service attack on my surf! as a security researcher I must say I can see the vulnerabilities followed by this design. I believe javascript code must no be executing while the tab is focused out and if it must, at least the access to the "window." functions such as moveTo,resizeTo,moveBy... should not be accessible at that time. Reproducible: Always Steps to Reproduce: 1. Open a few different domains in different tabs 2. Surf to a domain containing the following script code {script type="text/javascript"} window.onerror = function() {return true;}; setInterval(function(){ moveBy(1,-1); },10) setInterval(function(){ moveBy(-1,1); },11) {/script} 3. Suffer :) Actual Results: The entire browser window is jumping infinitly! Expected Results: The window must not move while inside any other tab different than the one with the evil javascript. You can see a live sample of this script on http://mario.heideri.ch/

There is an option to disable that ability globally in preferences (Content tab, "Advanced" button near the Javascript setting). It's fairly popular, and we even tried to make that the default setting in Firefox 3, but we broke some major sites and had to back off. read the sad tale in bug 412862 Similar suggestions in bug 186708 (don't move/resize if toolbars-that is, not a popup) and bug 144069 (don't move/resize if other tabs). Blocking if not active is another approach but doesn't really limit the abuse potential -- sites that abuse this usually start when you first open it, they don't wait for you to move to some other tab.