On Wed, 21 Sep 2011 08:16:41 +0200, Simon Pieters <sim...@opera.com> wrote:
On Wed, 21 Sep 2011 05:02:47 +0200, Boris Zbarsky <bzbar...@mit.edu>
wrote:
On 9/20/11 5:40 PM, Simon Pieters wrote:
However, it is still possible to tell if the user is logged in or not
if
a site serves a script for a particular URL when the user is logged in
and redirects to the home page or so when the user is not logged in.
Can't you tell this from the load event for the <script> tag, without
involving the error event in any way?
I'd love it if we could close this hole up, but the ship has long
sailed. :(
There are other ways to
tell if the user is logged in, however it seems we should try to keep
them to a minimum.
I'm not sure that onerror and onload are really different ways to tell
here.
Unless the proposal is that in this case onload fire instead of onerror
for the script that ends up as an HTML document?
We don't support <script onload> yet. When we implement that, it's
likely that we would try to find ways to not leak information in some
way (possibly always firing onload for cross-origin scripts if that
doesn't break Web sites).
Oops. Bogus testing on my part. We do support <script onload>. Will have
to investigate whether we should change our behavior for the cross-origin
case.
--
Simon Pieters
Opera Software