- From: <bugzilla@jessica.w3.org>
- Date: Tue, 12 Nov 2013 20:13:34 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20322
--- Comment #9 from Hallvord R. M. Steen <hsteen@mozilla.com> ---
Anne's last comment had some details I didn't really respond to above.
> Otherwise event listeners registered after send() is invoked will
> still get events.
Hm.. If xhr is an async request object, and a script does his:
xhr.send(data)
xhr.upload.onloadend = function(){...}
it sounds like you're saying the loadend listener should not fire - ? Why not?
> It's not entirely clear to me how you cannot figure out the
> server exists with just <img>, but I guess it makes timing
> attacks even easier maybe? Still feels somewhat sketchy.
http://xhr.spec.whatwg.org/#security-considerations has a useful statement
about reading information like size of resources with progress events. That's
certainly sufficient reason to require a preflight here.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Tuesday, 12 November 2013 20:13:36 UTC