[whatwg] "complete" DOM attribute (image elements)

Simon Pieters simonp at opera.com
Sun Aug 30 22:54:06 PDT 2009


On Mon, 31 Aug 2009 06:20:19 +0200, Gavin Sharp <gavin.sharp at gmail.com>  
wrote:

> On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote:
>>> https://people.mozilla.com/~gavin/detect-image.html
>>
>> A site that cared about that could send image types for its image 404s,  
>> no?
>>  Or does the spec require those to not be shown?
>
> I don't know what the spec requires,

"Whether the image is fetched successfully or not (e.g. whether the  
response code was a 2xx code or equivalent) must be ignored when  
determining the image's type and whether it is a valid image.

Note: This allows servers to return images with error responses, and have  
them displayed."

http://www.whatwg.org/specs/web-apps/current-work/multipage/text-level-semantics.html#the-img-element


> but if the site did that, it
> would mitigate the <img>.complete "attack" just as effectively as the
> observe-layout attack, so I fail to see why changing Gecko's behavior
> would introduce a privacy leak.


-- 
Simon Pieters
Opera Software


More information about the whatwg mailing list