This is a variant of Bug 333428. <object id="o" type="image/png" data="a.png"> o.data = "http://otherdomain/x.exe"; Changing an <object>'s .data property does not trigger a new image loading. Thus, the state of .onLoadedImage does not change.
> o.data = "http://otherdomain/x.exe"; Ah, please ignore "otherdomain". I inadvertently did copy and pasete from Bug 333428.
Created attachment 218088 [details] [diff] [review] patch I think this fixes this bug without regressing any of the other bugs, but I need to test more. At this point, I don't think this should block 1.0.8: it's a case of bug 293527 that's still present, but I don't think that bug is severe enough that it should block 1.0.8, especially considering the arbitrary code execution vulnerability that was fixed in bug 333305.
Looks good ... so far no regressions. Who will take care for advisories etc. for such 1.0.x only issues? Daniel, are there other issues for 184.108.40.206 that we (vendors) might want to backport to 1.0.x branch?
Chris, can you please review/checkin? I would like to take this for 1.0.9/1.7.14.
Sounds like this is WONTFIX, given that it only affects a now-unsupported branch.