Created attachment 175519 [details] Source Code of the frame loaded from the URL listed above (RAW servertraffic log via PuTTY)
Automatic form submission used to allow opening pop-ups, but that was fixed in bug 210560. Other than that, automatic form submission is not a security hole.
If onload form submit were blocked sites could still transmit information in other ways, for instance in the query string of an image they load. The code in the attachment uses flash to bypass the popup blocker. That's bug 176079 *** This bug has been marked as a duplicate of 176079 ***