[simias]

That's reasonable, but won't you get the same result in a million other ways?

I agree that preventing the browser to become unresponsive when loading bogus/malicious pages is a worthy objective but I don't see why the favicon needs to be singled out as a "bug".

These kinds of deny of service attacks against browsers have been known since, like, forever and they're basically impossible to completely prevent given the surface of attack and the complexity of modern web pages.