[mrspandex]

This seems like it would make malicious links easier to seem legitimate. If I see the Google favicon, I might assume it was Google without even checking the URL.

[pbhjpbhj]

Like on HN when the subdomain isn't given of a site that uses public subdomains. Not sure if this is still true but UGC from Google subdomain pages used to just come up as "google.com" next to the submission.

[jsprinkles]

That's possible today with just <img> <a>, so I'm not sure how this script makes that particular vector easier. It's just cool.

[citricsquid]

I think the point mrspandex was making is not "this being possible is bad..." but "if this becomes the accepted way to handle web links" is bad. It's not dangerous that this method exists, it would be dangerous if the average user came to experience and accept it as the "standard" for web links. All it takes is users to assume "my address bar which I can rely on is icon + address, therefore icon + address on a web page is safe too!".

[Groxx]

Ehhh... I can see the argument, but it seems to me to be precisely on par with that you can put arbitrary text inside a <a> tag. Which means a link which looks like http://www.amazon.com might not actually go there. Some people confuse this, some don't, but many have been 'trained' by spam to check the address on mouse-over.

[ville]

At least modern browsers don't let the page to cloak the address by setting window.status anymore. IIRC that was quite popular in 1990s.

[jsprinkles]

Fair. I agree with that.

[tylermenezes]

If the page is a spam site, sure. But imagine someone posts a comment with a domain similar to google.com and the Google favicon. It's a legitimate vector.