[_delirium]

It's not foolproof, but I think one common way is for the static-content server to check for an appropriate authentication cookie. In Facebook's case, an additional complication is that they serve lots of the static content off Akamai, so any authentication would have to be coordinated.

[maurycy]

The cookie slows down the things a bit. I've never had such problem but what about complete randomization of static URLs, so they are not easily findable?

If the leaks are the issue, one might want to change the names, or just filesystem symlinks, periodically.

[catch23]

couldn't they just solve it by serving up an image with a hash of the facebook uid as the filename?

[maurycy]

Facebook uid = users.id? It gives zero privacy then.

[chronomex]

Plus the domain name is completely different: all static content is served from subdomains of .fbcdn.net (and frequently of .ak.fbcdn.net).