W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] "complete" DOM attribute (image elements)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Sep 2009 11:37:24 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0909031135030.6775@hixie.dreamhostps.com>
On Sun, 30 Aug 2009, Boris Zbarsky wrote:
> Ian Hickson wrote:
> > On Sun, 2 Sep 2007, Gavin Sharp wrote:
> > > It appears this behavior was explicitly chosen in Mozilla, in bug 190561
> > > (https://bugzilla.mozilla.org/show_bug.cgi?id=190561). I think the
> > > arguments given in that bug might merit reconsideration; detection of
> > > image existence is currently possible by other means
> 
> How, exactly?

Checking the image dimensions from .width/.height, checking how the image 
affects the rendering, checking whether an <iframe> fires onload or 
onerror, checking whether an <object> instantiates its fallback content's
plugins, etc.


> > My findings match yours. I have left the spec as is, for compatibility 
> > with IE, and because it seems the most logical.
> 
> It seems like a privacy leak to me, in the case of cross-site images.

It's a privacy leak and can be used with <meta http-equiv="refresh"> to do 
scriptless port scanning, even, but that's just the way it is, at this 
point. Not sure we can ever do anything about that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 September 2009 04:37:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC