John, i dont know how to exploit this without the execution of an applescript that's not possible if the victim user doesn't confirm it. if you've found a way to execute applescripts by simply accessing a website it would be a much more interesting kind of vulnerability. imho i see no other way to do this.. any suggestion is really appreciated thanks, -p