The linked code does use onload: img.onload = img.onerror; I think it just assumes that if an image request returns more quickly
than some
standard timeout, then there is an endpoint there.
yeah, but the browser only fires the onload if the returned resource is a valid img, and most probes are not going to be valid imgs. I suppose you could use onload to exhaustively search for valid image urls, but I haven't thought of a way for that to be useful.
I think you're right though about custom ports. A policy implementor
can
either: (1) Use a proxy that responds the same way to a non-existant
endpoint as to
one without servable resources. (2) Whitelist hosts and disallow non-standard ports.
Should we allow this, and add a note to the UrlPolicy wiki page about
the above
two conditions?
sounds good to me. http://codereview.appspot.com/115084
