top | item 7998507

(no title)

jlogsdon | 11 years ago

It's all possible with HTTP statuses according to a link[1] posted above.

[1] https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Pri...

discuss

ZoFreX|11 years ago

What legitimate use do those onerror / onload callbacks have... that seems like the kind of thing that should be restricted to same origin!

f-|11 years ago

Similarly to CSP, onload and onerror are not the only ways to pull it off. The effect of successfully or unsuccessfully loading images or scripts can be usually inferred without that; for example, images have dimensions that, even if you take away the ability to read them directly, can be inferred from the changes to the layout of the nearby elements.

TheLoneWolfling|11 years ago

I've seen it used for fallbacks when loading resources hosted on a CDN.