[whatwg] "complete" DOM attribute (image elements)
Simon Pieters
simonp at opera.com
Sun Aug 30 22:54:06 PDT 2009
On Mon, 31 Aug 2009 06:20:19 +0200, Gavin Sharp <gavin.sharp at gmail.com>
wrote:
> On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<bzbarsky at mit.edu> wrote:
>>> https://people.mozilla.com/~gavin/detect-image.html
>>
>> A site that cared about that could send image types for its image 404s,
>> no?
>> Or does the spec require those to not be shown?
>
> I don't know what the spec requires,
"Whether the image is fetched successfully or not (e.g. whether the
response code was a 2xx code or equivalent) must be ignored when
determining the image's type and whether it is a valid image.
Note: This allows servers to return images with error responses, and have
them displayed."
http://www.whatwg.org/specs/web-apps/current-work/multipage/text-level-semantics.html#the-img-element
> but if the site did that, it
> would mitigate the <img>.complete "attack" just as effectively as the
> observe-layout attack, so I fail to see why changing Gecko's behavior
> would introduce a privacy leak.
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list