I was using the term "port scanning" incorrectly. I meant any kind of local network probing.
The linked code does use onload: img.onload = img.onerror; I think it just assumes that if an image request returns more quickly than some standard timeout, then there is an endpoint there. I think you're right though about custom ports. A policy implementor can either: (1) Use a proxy that responds the same way to a non-existant endpoint as to one without servable resources. (2) Whitelist hosts and disallow non-standard ports. Should we allow this, and add a note to the UrlPolicy wiki page about the above two conditions? http://codereview.appspot.com/115084
