[whatwg] window.onerror and cross-origin scripts

Boris Zbarsky bzbarsky at MIT.EDU
Tue Sep 20 20:02:47 PDT 2011


On 9/20/11 5:40 PM, Simon Pieters wrote:
> However, it is still possible to tell if the user is logged in or not if
> a site serves a script for a particular URL when the user is logged in
> and redirects to the home page or so when the user is not logged in.

Can't you tell this from the load event for the <script> tag, without 
involving the error event in any way?

I'd love it if we could close this hole up, but the ship has long 
sailed.  :(

> There are other ways to
> tell if the user is logged in, however it seems we should try to keep
> them to a minimum.

I'm not sure that onerror and onload are really different ways to tell here.

Unless the proposal is that in this case onload fire instead of onerror 
for the script that ends up as an HTML document?

-Boris



More information about the whatwg mailing list