On Wed, 21 Sep 2011 19:36:23 +0200, Boris Zbarsky <[email protected]> wrote:
On 9/21/11 5:25 AM, Simon Pieters wrote:
Oops. Bogus testing on my part. We do support <script onload>. Will have
to investigate whether we should change our behavior for the
cross-origin case.
One other thing.
Are we talking about error events fired on the <script> element?
Or error events fired on the window due to exceptions thrown by a script?
Or both?
Your initial post seemed to be about the latter, but expressed concerns
that are applicable to both to some extent....
I was talking about window.onerror. <script onerror> per spec fires for
empty src="", unresolvable URL and network errors (DNS or 404). If we want
to make onload always fire for cross-origin, it would make sense for
<script onerror> to not fire for network errors. (Opera doesn't fire error
on script, assuming my testing isn't bogus this time.)
I don't know if it's worth it to try to plug this hole this way, however.
We won't be able to plug it everywhere, e.g. <img> will expose if an image
is loaded. So masking onload/onerror for script just makes the feature
less useful without solving the problem. Maybe we should instead focus on
implementing the From-Origin header and try to get sites to use that.
--
Simon Pieters
Opera Software
