Re: Abusing HTTP status codes to deanonymize web users

On Thu, May 7, 2015 at 10:50 PM, Ahmed Elsobky <> wrote:
> <script src= onerror="javascript:x=1">

Do you have a test case showing that <script> fires an error event
consistently for 4xx or 5xx status codes? I thought it would always
try to parse the result as a script and execute it.

> ..Any thoughts?

I proposed at
some point to mitigate this. There wasn't much interest.


Received on Friday, 8 May 2015 05:13:59 UTC