HTTP response code, non-Javascript exploit
I'm trying to think of a way an HTTP response could be used as an exploit. This is all I can think of:
Rogue site includes some object from page it's testing for, maybe a graphic with width and height set to 1, like a web bug. Perhaps many of them. (It would probably be mandatory to do that; too many users would smell a rat if they regularly saw graphics unrelated to the site they're visiting.) If the browser comes back with 304, Not Modified, then that object is in the cache, disclosing that the user has been there, and probably recently, depending on the lifetime of items in the cache. This would work for any page at the site being tested that includes that object, no only the one the user actually visited, so a visitor to some page deep inside a domain which happens to include a logo that is included in most or all pages there would be detected simply by testing for the site's home page.;
If that's anything like the exploit, perhaps the browser could check for URLs pointing to objects at other domains with attributes in the link that seem designed to hide their presence from the user, and could then toss up a warning dialog. Google or kindred could add that kind of sign to the criteria they use to find dodgy sites for which they link to their "dangerous site" warning.