Re: IE5 crash

[Dan Kaminsky <dankamin () CISCO COM>]

> [ Server Response Headers ]
> HTTP/1.1 301 Moved Permanently
> Server: Apache/1.3.11 (Unix)
> Pragma: no-cache
> Accept-Ranges: bytes
> Content-Length: 62
> Connection: Close
> Content-Type: text/html
> Location: javascript:with(navigator){n='\n';alert(userAgent+n+platform)}

Off the top of my head, I'd guess one of three things is happening here:

1)  Javascript Recognized But Not Instantiated:  The HTTP Redirection code
knows enough about Javascript to recognize it being called, but doesn't know
enough to actually complete the call.

2)  Javascript Objects Not Configured:  The HTTP Redirection code both knows
enough about Javascript to recognize its call *and* has the ability to
complete some Javascript operations, but this specific operation is
attempting to access variables/structures/objects/whatnot that haven't been
initialized yet.

3)  Javascript Operating Correctly Outside of Expected Territory:
Essentially, Javascript was built to be run inside the HTML parser, but is
being called outside of it and is stomping over the place.

Mind you, none of this should be taken even slightly as gospel--it could be
something as simple as that the browser doesn't know how to handle
references that don't contain a URL type(http, ftp, file, telnet, etc.)!
This is brought up as a way of possibly helping your investigation(if you're
in the mood to examine the problem further).  Do all Javascript references
cause failures, or just this one?  What about vbscript?  If some do succeed,
can they reference Javascript variables from referring pages?  Might there
be holes in the JS security model that aren't patched at the layer of HTTP?

Just some thoughts--hope they help.

--Dan Kaminsky