A recent thread on sla.ckers.org discussing a vulnerability in neopets actually got me thinking. Spikeman posted that you could detect once the page had completed loading in an iframe using an onload event handler. More timing attacks anyone? Well that’s not all. In Firefox it actually has a peculiar behavior. In IE (as it should) the onload event handler works all the time, because the page has finished loading. In Firefox it doesn’t fire if the browser encounters an error. An error could be something as simple as the server is not up (I have not tested with other server errors).