- From: Simon Pieters <simonp@opera.com>
- Date: Thu, 22 Sep 2011 16:02:30 +0200
On Wed, 21 Sep 2011 19:36:23 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 9/21/11 5:25 AM, Simon Pieters wrote: >> Oops. Bogus testing on my part. We do support <script onload>. Will have >> to investigate whether we should change our behavior for the >> cross-origin case. > > One other thing. > > Are we talking about error events fired on the <script> element? > > Or error events fired on the window due to exceptions thrown by a script? > > Or both? > > Your initial post seemed to be about the latter, but expressed concerns > that are applicable to both to some extent.... I was talking about window.onerror. <script onerror> per spec fires for empty src="", unresolvable URL and network errors (DNS or 404). If we want to make onload always fire for cross-origin, it would make sense for <script onerror> to not fire for network errors. (Opera doesn't fire error on script, assuming my testing isn't bogus this time.) I don't know if it's worth it to try to plug this hole this way, however. We won't be able to plug it everywhere, e.g. <img> will expose if an image is loaded. So masking onload/onerror for script just makes the feature less useful without solving the problem. Maybe we should instead focus on implementing the From-Origin header and try to get sites to use that. -- Simon Pieters Opera Software
Received on Thursday, 22 September 2011 07:02:30 UTC