- From: <bugzilla@jessica.w3.org>
- Date: Tue, 12 Nov 2013 20:13:34 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20322 --- Comment #9 from Hallvord R. M. Steen <hsteen@mozilla.com> --- Anne's last comment had some details I didn't really respond to above. > Otherwise event listeners registered after send() is invoked will > still get events. Hm.. If xhr is an async request object, and a script does his: xhr.send(data) xhr.upload.onloadend = function(){...} it sounds like you're saying the loadend listener should not fire - ? Why not? > It's not entirely clear to me how you cannot figure out the > server exists with just <img>, but I guess it makes timing > attacks even easier maybe? Still feels somewhat sketchy. http://xhr.spec.whatwg.org/#security-considerations has a useful statement about reading information like size of resources with progress events. That's certainly sufficient reason to require a preflight here. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 12 November 2013 20:13:36 UTC