- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 3 Sep 2009 11:37:24 +0000 (UTC)
On Sun, 30 Aug 2009, Boris Zbarsky wrote: > Ian Hickson wrote: > > On Sun, 2 Sep 2007, Gavin Sharp wrote: > > > It appears this behavior was explicitly chosen in Mozilla, in bug 190561 > > > (https://bugzilla.mozilla.org/show_bug.cgi?id=190561). I think the > > > arguments given in that bug might merit reconsideration; detection of > > > image existence is currently possible by other means > > How, exactly? Checking the image dimensions from .width/.height, checking how the image affects the rendering, checking whether an <iframe> fires onload or onerror, checking whether an <object> instantiates its fallback content's plugins, etc. > > My findings match yours. I have left the spec as is, for compatibility > > with IE, and because it seems the most logical. > > It seems like a privacy leak to me, in the case of cross-site images. It's a privacy leak and can be used with <meta http-equiv="refresh"> to do scriptless port scanning, even, but that's just the way it is, at this point. Not sure we can ever do anything about that. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 September 2009 04:37:24 UTC