It is, but it's a bit leaky simply because it's such a late addition. Img tags aren't subject to CORS (you can display images from anywhere). Access to the loaded image data is CORS controlled, but the onload and onerror handlers or the dimensions of the final img tag aren't restricted.
If you know for example the path of the netgear logo on a router, you can try loading it and determine success/failure. Existing CORS isn't strict enough to prevent this, and it's debatable whether it should be
revanx_|5 years ago
wongarsu|5 years ago
If you know for example the path of the netgear logo on a router, you can try loading it and determine success/failure. Existing CORS isn't strict enough to prevent this, and it's debatable whether it should be
19870213|5 years ago