Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 195030 - no protection against recursive plugin loading via EMBED/OBJECT tag
: no protection against recursive plugin loading via EMBED/OBJECT tag
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
: P3 normal with 3 votes (vote)
: ---
Assigned To: John Schoenick [:johns]
: Benjamin Smedberg [:bsmedberg]
: 199631 (view as bug list)
Depends on: 745030
Blocks: popups
  Show dependency treegraph
Reported: 2003-02-25 20:55 PST by Miquel "Fire" Burns
Modified: 2012-08-07 17:28 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (70 bytes, text/html)
2003-03-29 08:41 PST, Mike Goodspeed
no flags Details

Description Miquel "Fire" Burns 2003-02-25 20:55:03 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

On this one page at, a new window with
the page pops open every time the page is opened (which results the browser just
reopening the page in a new window over and voer again until you can click the
close button befoer the page loads up on a new window) because of a possible bug
with the embed tag. The tag reads like this:
I'm not sure how Mozilla is supposed to handle code like this, but something
like this will make it possible to bypass the setting for javascript's
unrequested window option.

Reproducible: Always

Steps to Reproduce:
1. Open page in Mozilla.
Actual Results:  
A new window will open with the page, in this case the same which results in
what appears to be malicious javascript.
Comment 1 timeless 2003-02-28 13:05:10 PST
as annoying as this is, this is not a security bug
Comment 2 Peter Lubczynski 2003-03-25 15:49:30 PST's the problem:

This URL feeds an HTML document with text/html:

Then has an EMBED tag like:
<EMBED src=

..which takes us for a loop...

This is partly blocked by handling relative urls that hand back text/html in bug
Comment 3 Alfonso Martinez 2003-03-29 04:18:00 PST
*** Bug 199631 has been marked as a duplicate of this bug. ***
Comment 4 Mike Goodspeed 2003-03-29 08:41:16 PST
Created attachment 118861 [details]

From my comment of dupe bug 199631:

It has to do with an embed.  The lines in question seem to be 

<noembed><bgsound SRC=""></noembed>

Where it recursively calls itself.  If you go to the URL with javascript off it

gives you a "Plug-in Not Loaded" window:

Information on this page requires a plugin for:
Navigator can retrieve... blah blah blah...

The testcase pops up a new window going to google (so you won't crash your
browser doing testing).  It is just one line:

Comment 5 John Schoenick [:johns] 2012-05-11 15:37:30 PDT
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads.

Keeping this open to ensure bug 745030 doesn't regress, and to add tests.

Note You need to log in before you can comment on or make changes to this bug.