your mail looks like this... http://seclists.org/fulldisclosure/2007/Jul/0288.html http://seclists.org/fulldisclosure/2007/Jul/0290.html you only put your ayes on the status bar, but the data URL scheme address bar spoofing on firefox isn't your discovering