- From: Gavin Sharp <gavin.sharp@gmail.com>
- Date: Mon, 31 Aug 2009 00:20:19 -0400
On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote: >> https://people.mozilla.com/~gavin/detect-image.html > > A site that cared about that could send image types for its image 404s, no? > ?Or does the spec require those to not be shown? I don't know what the spec requires, but if the site did that, it would mitigate the <img>.complete "attack" just as effectively as the observe-layout attack, so I fail to see why changing Gecko's behavior would introduce a privacy leak. Gavin
Received on Sunday, 30 August 2009 21:20:19 UTC