IE pwns SecondLife - bah. I've always had something against fancy URL handlers that also inherit parameters from the calls. The problem is - why should an application trust a URL? If a call is made via a URL, the program should always classify this as untrusted and never initiate an activity that could potentially be dangerous without informing the user. The culprit here is -autologin in SecondLife - it shouldn't work in this situation at all. The browsers should of course also check the data (and Mozilla's reaction is correct, that Firefox was fixed accordingly when the problem also appeared there), but the real problem lies with the Second Life client.