[desbo]

> `tar` up an entire WordPress install, save it as `favicon.ico` and then easily pull the files from the server.

assuming I have access to the server to create the tar and save it, what's the difference between downloading the archive as favicon.ico or any other name?

[emidln]

If you don't have control over the logging (for a number of reasons) you can disguise your xf in the access logs. I'd be willing to bet that a lot of logging config files for access logs even ignore favicon.ico.

[simias]

You could also hide it as any kind of regular static resource. I still don't understand how it's any worse than, say, hiding a massive image in a webpage. Bogus websites are going to be bogus no matter what, I can understand browser devs not wanting to guess arbitrary limitations for some resources when an hostile attacker will have plenty of other opportunities to achieve the same thing.

What would be the point of adding a limitation to the favicon size really? Protecting users from websites where the webmaster is silly enough to put a 1GB favicon by mistake? Doesn't seem common enough to warrant the extra code IMHO.

[MichaelGG]

>What would be the point of adding a limitation to the favicon size really?

Uh, yea, the browser shouldn't become unresponsive, break, or behave in such unexpected ways. Not having a limit is just sloppy. Understandable how it'd be overlooked, but sloppy none-the-less.

[simias]

That's reasonable, but won't you get the same result in a million other ways?

I agree that preventing the browser to become unresponsive when loading bogus/malicious pages is a worthy objective but I don't see why the favicon needs to be singled out as a "bug".

These kinds of deny of service attacks against browsers have been known since, like, forever and they're basically impossible to completely prevent given the surface of attack and the complexity of modern web pages.