[whatwg] "complete" DOM attribute (image elements)

Ian Hickson ian at hixie.ch
Thu Sep 3 04:37:24 PDT 2009


On Sun, 30 Aug 2009, Boris Zbarsky wrote:
> Ian Hickson wrote:
> > On Sun, 2 Sep 2007, Gavin Sharp wrote:
> > > It appears this behavior was explicitly chosen in Mozilla, in bug 190561
> > > (https://bugzilla.mozilla.org/show_bug.cgi?id=190561). I think the
> > > arguments given in that bug might merit reconsideration; detection of
> > > image existence is currently possible by other means
> 
> How, exactly?

Checking the image dimensions from .width/.height, checking how the image 
affects the rendering, checking whether an <iframe> fires onload or 
onerror, checking whether an <object> instantiates its fallback content's
plugins, etc.


> > My findings match yours. I have left the spec as is, for compatibility 
> > with IE, and because it seems the most logical.
> 
> It seems like a privacy leak to me, in the case of cross-site images.

It's a privacy leak and can be used with <meta http-equiv="refresh"> to do 
scriptless port scanning, even, but that's just the way it is, at this 
point. Not sure we can ever do anything about that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list