This could work, but there's still vulnerabilities. How about a timing attack? The page with that message probably responds faster if the email address doesn't exist. (Sure, a timing attack can be fixed if you can make the page run in constant time; but is it really cost-effective to spend time developing that rather than actual features?)
2) Send a non-blocking request with a flag, eg "Good" "Bad".
3) Return message to user that email has been sent but can not confirm if the email is true for privacy reasons.
While yes, it can be down to a timing attack, the trouble is that this vector can be used against sessions, logins, etc. It can be a standard that Mozilla should adopt.
