[whatwg] "complete" DOM attribute (image elements)

On Sun, 30 Aug 2009, Boris Zbarsky wrote:
> Ian Hickson wrote:
> > On Sun, 2 Sep 2007, Gavin Sharp wrote:
> > > It appears this behavior was explicitly chosen in Mozilla, in bug 190561
> > > (https://bugzilla.mozilla.org/show_bug.cgi?id=190561). I think the
> > > arguments given in that bug might merit reconsideration; detection of
> > > image existence is currently possible by other means
> How, exactly?

Checking the image dimensions from .width/.height, checking how the image 
affects the rendering, checking whether an <iframe> fires onload or 
onerror, checking whether an <object> instantiates its fallback content's
plugins, etc.

> > My findings match yours. I have left the spec as is, for compatibility 
> > with IE, and because it seems the most logical.
> It seems like a privacy leak to me, in the case of cross-site images.

It's a privacy leak and can be used with <meta http-equiv="refresh"> to do 
scriptless port scanning, even, but that's just the way it is, at this 
point. Not sure we can ever do anything about that.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 September 2009 04:37:24 UTC