[whatwg] "complete" DOM attribute (image elements)
Ian Hickson
ian at hixie.ch
Thu Sep 3 04:37:24 PDT 2009
On Sun, 30 Aug 2009, Boris Zbarsky wrote:
> Ian Hickson wrote:
> > On Sun, 2 Sep 2007, Gavin Sharp wrote:
> > > It appears this behavior was explicitly chosen in Mozilla, in bug 190561
> > > (https://bugzilla.mozilla.org/show_bug.cgi?id=190561). I think the
> > > arguments given in that bug might merit reconsideration; detection of
> > > image existence is currently possible by other means
>
> How, exactly?
Checking the image dimensions from .width/.height, checking how the image
affects the rendering, checking whether an <iframe> fires onload or
onerror, checking whether an <object> instantiates its fallback content's
plugins, etc.
> > My findings match yours. I have left the spec as is, for compatibility
> > with IE, and because it seems the most logical.
>
> It seems like a privacy leak to me, in the case of cross-site images.
It's a privacy leak and can be used with <meta http-equiv="refresh"> to do
scriptless port scanning, even, but that's just the way it is, at this
point. Not sure we can ever do anything about that.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list