I thought this was interesting, although the actual security impact is hard to assess. Various sites "leak" information not through the payload returned by a particular HTTP request, but simply by the response code. Thus, as this article illustrates, we can find out, for example, whether a user is logged on to sites like Facebook as follows:
- find a particular page that responds with an error code or not depending on whether or not the user is logged on;
- using a "script" tag, ask the browser to load that page as though it were a script;
- in the onload() and onerror() handlers, take action that assumes the user is logged on in the first place and not in the second.
The fact that a user is logged into, say, Facebook or GMail probably isn't a very exciting discovery: half the Internet population probably are at any given moment. But more controversial sites may want to think about what kind of information they accidentally leak in this way.