[whatwg] window.onerror and cross-origin scripts
simonp at opera.com
Tue Sep 20 23:16:41 PDT 2011
On Wed, 21 Sep 2011 05:02:47 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 9/20/11 5:40 PM, Simon Pieters wrote:
>> However, it is still possible to tell if the user is logged in or not if
>> a site serves a script for a particular URL when the user is logged in
>> and redirects to the home page or so when the user is not logged in.
> Can't you tell this from the load event for the <script> tag, without
> involving the error event in any way?
> I'd love it if we could close this hole up, but the ship has long
> sailed. :(
>> There are other ways to
>> tell if the user is logged in, however it seems we should try to keep
>> them to a minimum.
> I'm not sure that onerror and onload are really different ways to tell
> Unless the proposal is that in this case onload fire instead of onerror
> for the script that ends up as an HTML document?
We don't support <script onload> yet. When we implement that, it's likely
that we would try to find ways to not leak information in some way
(possibly always firing onload for cross-origin scripts if that doesn't
break Web sites).
More information about the whatwg