On Mon, 31 Aug 2009 06:20:19 +0200, Gavin Sharp <[email protected]>
wrote:
On Mon, Aug 31, 2009 at 12:05 AM, Boris Zbarsky<[email protected]> wrote:
https://people.mozilla.com/~gavin/detect-image.html
A site that cared about that could send image types for its image 404s,
no?
Or does the spec require those to not be shown?
I don't know what the spec requires,
"Whether the image is fetched successfully or not (e.g. whether the
response code was a 2xx code or equivalent) must be ignored when
determining the image's type and whether it is a valid image.
Note: This allows servers to return images with error responses, and have
them displayed."
http://www.whatwg.org/specs/web-apps/current-work/multipage/text-level-semantics.html#the-img-element
but if the site did that, it
would mitigate the <img>.complete "attack" just as effectively as the
observe-layout attack, so I fail to see why changing Gecko's behavior
would introduce a privacy leak.
--
Simon Pieters
Opera Software
