- From: Simon Pieters <simonp@opera.com>
- Date: Wed, 21 Sep 2011 11:25:34 +0200
On Wed, 21 Sep 2011 08:16:41 +0200, Simon Pieters <simonp at opera.com> wrote: > On Wed, 21 Sep 2011 05:02:47 +0200, Boris Zbarsky <bzbarsky at mit.edu> > wrote: > >> On 9/20/11 5:40 PM, Simon Pieters wrote: >>> However, it is still possible to tell if the user is logged in or not >>> if >>> a site serves a script for a particular URL when the user is logged in >>> and redirects to the home page or so when the user is not logged in. >> >> Can't you tell this from the load event for the <script> tag, without >> involving the error event in any way? >> >> I'd love it if we could close this hole up, but the ship has long >> sailed. :( >> >>> There are other ways to >>> tell if the user is logged in, however it seems we should try to keep >>> them to a minimum. >> >> I'm not sure that onerror and onload are really different ways to tell >> here. >> >> Unless the proposal is that in this case onload fire instead of onerror >> for the script that ends up as an HTML document? > > We don't support <script onload> yet. When we implement that, it's > likely that we would try to find ways to not leak information in some > way (possibly always firing onload for cross-origin scripts if that > doesn't break Web sites). Oops. Bogus testing on my part. We do support <script onload>. Will have to investigate whether we should change our behavior for the cross-origin case. -- Simon Pieters Opera Software
Received on Wednesday, 21 September 2011 02:25:34 UTC