W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2009

[whatwg] "complete" DOM attribute (image elements)

From: Gavin Sharp <gavin.sharp@gmail.com>
Date: Mon, 31 Aug 2009 00:20:19 -0400
Message-ID: <3d1fb26e0908302120s3553e54ay286ff38529f7a34f@mail.gmail.com>
On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote:
>> https://people.mozilla.com/~gavin/detect-image.html
>
> A site that cared about that could send image types for its image 404s, no?
> ?Or does the spec require those to not be shown?

I don't know what the spec requires, but if the site did that, it
would mitigate the <img>.complete "attack" just as effectively as the
observe-layout attack, so I fail to see why changing Gecko's behavior
would introduce a privacy leak.

Gavin
Received on Sunday, 30 August 2009 21:20:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:16 UTC