- From: Simon Pieters <simonp@opera.com>
- Date: Mon, 31 Aug 2009 07:54:06 +0200
On Mon, 31 Aug 2009 06:20:19 +0200, Gavin Sharp <gavin.sharp at gmail.com> wrote: > On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote: >>> https://people.mozilla.com/~gavin/detect-image.html >> >> A site that cared about that could send image types for its image 404s, >> no? >> Or does the spec require those to not be shown? > > I don't know what the spec requires, "Whether the image is fetched successfully or not (e.g. whether the response code was a 2xx code or equivalent) must be ignored when determining the image's type and whether it is a valid image. Note: This allows servers to return images with error responses, and have them displayed." http://www.whatwg.org/specs/web-apps/current-work/multipage/text-level-semantics.html#the-img-element > but if the site did that, it > would mitigate the <img>.complete "attack" just as effectively as the > observe-layout attack, so I fail to see why changing Gecko's behavior > would introduce a privacy leak. -- Simon Pieters Opera Software
Received on Sunday, 30 August 2009 22:54:06 UTC