Note that the actual img tag has src="#" so when you are looking at the file opened locally, the image is also from local disk, not from his server, so it's legit.
However, the fact that it needs to be identified as a HTML file by the server implies to me that the idea others had ITT of abusing image hosting sites using this trick probably won't work.
I doubt this. In request with Accept:"image/png,image/;q=0.8,/*;q=0.5" server souldn't respond with something with Content-Type:"text/html"