On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<[email protected]> wrote: >> https://people.mozilla.com/~gavin/detect-image.html > > A site that cared about that could send image types for its image 404s, no? > Or does the spec require those to not be shown?
I don't know what the spec requires, but if the site did that, it would mitigate the <img>.complete "attack" just as effectively as the observe-layout attack, so I fail to see why changing Gecko's behavior would introduce a privacy leak. Gavin
