[whatwg] window.onerror and cross-origin scripts
Simon Pieters
simonp at opera.com
Wed Sep 21 02:25:34 PDT 2011
On Wed, 21 Sep 2011 08:16:41 +0200, Simon Pieters <simonp at opera.com> wrote:
> On Wed, 21 Sep 2011 05:02:47 +0200, Boris Zbarsky <bzbarsky at mit.edu>
> wrote:
>
>> On 9/20/11 5:40 PM, Simon Pieters wrote:
>>> However, it is still possible to tell if the user is logged in or not
>>> if
>>> a site serves a script for a particular URL when the user is logged in
>>> and redirects to the home page or so when the user is not logged in.
>>
>> Can't you tell this from the load event for the <script> tag, without
>> involving the error event in any way?
>>
>> I'd love it if we could close this hole up, but the ship has long
>> sailed. :(
>>
>>> There are other ways to
>>> tell if the user is logged in, however it seems we should try to keep
>>> them to a minimum.
>>
>> I'm not sure that onerror and onload are really different ways to tell
>> here.
>>
>> Unless the proposal is that in this case onload fire instead of onerror
>> for the script that ends up as an HTML document?
>
> We don't support <script onload> yet. When we implement that, it's
> likely that we would try to find ways to not leak information in some
> way (possibly always firing onload for cross-origin scripts if that
> doesn't break Web sites).
Oops. Bogus testing on my part. We do support <script onload>. Will have
to investigate whether we should change our behavior for the cross-origin
case.
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list