User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 An iframe inside an absolute positioned parent div and a div serving as a 'close button'. The 'close button' div must be also absolute positioned inside the parent div. Removing the parent div from document body causes a fatal crash if the iframe is active. <body> <div id="a" style="position:absolute"> <iframe></iframe> <div style="position:absolute" onmousemove="document.body.removeChild(document.getElementById('a'))"> 1. click iframe 2. move mouse here </div> </div> </body> Reproducible: Always Steps to Reproduce: 1. Open the attached document 2. Click the iframe in the document 3. Move cursor inside the "move mouse here" text Actual Results: The browser crashes immediately Expected Results: The div should be hided
No crash for me, Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050808 Firefox/1.0+ This doesn't sound like a security hole to me. Some crashes are security holes, such as buffer overflows or crashes that affect server software, but most aren't.
Crashes 1.0.6 but not Deer Park (trunk). The crash was executing address 0x00000000, which isn't a security issue that would cause a branch re-spin.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
Version: unspecified → 1.0 Branch
<- VERI. v1.0.x is for security releases, and as per comment 2, this isn't a security issue.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.