On Thu, 22 Sep 2011 16:02:30 +0200, Simon Pieters <sim...@opera.com> wrote:
I was talking about window.onerror. <script onerror> per spec fires for
empty src="", unresolvable URL and network errors (DNS or 404). If we
want to make onload always fire for cross-origin, it would make sense
for <script onerror> to not fire for network errors. (Opera doesn't fire
error on script, assuming my testing isn't bogus this time.)
I don't know if it's worth it to try to plug this hole this way,
however. We won't be able to plug it everywhere, e.g. <img> will expose
if an image is loaded. So masking onload/onerror for script just makes
the feature less useful without solving the problem. Maybe we should
instead focus on implementing the From-Origin header and try to get
sites to use that.
It was pointed out to me that the following site expects an error event
for a cross-origin script (which returns 404):
http://www.alvoradafm.com.br/Player/player.html
which tries to load http://lp.longtailvideo.com/5/%20gapro/%20gapro.js
--
Simon Pieters
Opera Software
