[Standards] XHTML <img/> presence leak

Ian Paterson ian.paterson at clientside.co.uk
Fri Mar 2 10:54:49 UTC 2007


Your presence would be leaked if someone sends you an XHTML <img/> for 
which the URI points to an HTTP server that they control. If you are 
online (or the moment you come online later) then your client will 
request the image (perhaps just a single transparent pixel) when it 
displays the message to you. The HTTP server simply reports the request 
to the person who wants to discover your presence.

I think a note about this would be a helpful addition to XEP-0071. 
Perhaps clients should ask/warn their user before displaying such inline 
images received from non-subscribers (probably including a "Don't ask me 
again" checkbox).

- Ian




More information about the Standards mailing list