Closed makern closed 8 years ago
agektmr
commented
10 years ago That's a good point. I can change favicon fetch URL to be HTTPS.
The reason I was using that URL was that it is the easiest way to fetch favicons. Some websites use dynamic favicon assignment which makes the logic far complex and is not that important.
Are you sure Chrome is sending cookies when sending requests to external sites? Haven't confirmed yet but I doubt it.
makern
commented
10 years ago I understand that getting all favicons directly is complicated but having an option to just fetch example.com/favicon.ico if available and otherwise use default should be little work?
I haven't checked the XHR from the extension but going to https://www.google.com/s2/favicons?domain=github.com in a normal tab does send all my google.com cookies together with the request, as expected. It might be that cookies are not sent via XHR as long as withCredentials is false.
The cookies aren't the main concern for me though. Sending all the domains to Google is in itself problematic.
agektmr
commented
10 years ago Understood. I'll consider an option to avoid sending queries to https://www.google.com/s2/favicons.
makern
commented
10 years ago Great, thanks.
agektmr
commented
8 years ago This is implemented at 4.0. Thanks @makern for your report.
makern
commented
8 years ago Cheers! Can you clarify how this has been fixed? I can still see FAVICON_URL in the code but it doesn't appear to be used anymore?
agektmr
commented
8 years ago It's no longer used. Favicons are directly loaded from sources. https://github.com/agektmr/ProjectTabManager/blob/master/src/elements/ptm-bookmark/ptm-bookmark.html#L202
makern
commented
8 years ago Great, thanks!
I would like to request that the FAVICON_URL be changed from
http://www.google.com/s2/favicons?domain=to HTTPS.Additionally it would be great to have an option to turn off favicon fetching entirely and always use the default icon. Or perhaps, fetch the icon from the actual site instead of Google.
It's a pretty big privacy issue to leak all the sites a user visits to Google. Especially since Google will automatically receive all their cookies on the google.com domain.