A couple of messages have appeared on the Bugtraq mailing list concerning the use of X to control a Netscape client. I think there's a fundamental point being missed here: control of the Netscape client is done through X properties and thereby REQUIRES that one already have control of the X server. The situation described (Web server manipulates a Netscape instance remotely) isn't possible unless the server ALREADY has unfettered access to the X server; even if this were true, the attack would be conducted via the X mechanisms and not HTTP. The server-side include example cited wouldn't work, since the program would be executed on the Web server end, not the client (running the X server). Phil -- Phil Wherry - psw@wherry.com Phone: +1 703 242-2618; fax +1 703 242-1167