Favicons can be used as super tracking cookies: create flag to turn off requests & cachingfor them
janvangessel
Hi Guys
Just noticed this article with information and links that show that favicons can be used as "Super Cookies" for tracking purposes and how that's done.
https://gizmodo.com/favicons-could-be-the-supercookie-that-tracks-you-every-1846229089
Would it be possible to create a flag that disables the favicon requests and caching if so desired?
Being able to turn the favicon requests off all together, might also speed up requests on sites that don't have a favicon as on those sites the whole "404 not found" page might be downloaded.
derDay Supporters
@janvangessel
there's already a discussion about this topic:
https://forum.vivaldi.net/topic/56275/how-to-disable-favicons
janvangessel
Thanks deDay, didn't realize that, will continue there.
Based on a cursory understanding of what is going on, the following might help as mitigations outside of fully stopping favicon caching (I imagine that would create a major performance impact):
- Use a separate temporary favicon store in private mode
- When you delete cookies, cache or storage for a site, also delete the favicon
- Introduce a minimum artificial delay when loading all favicon (this is a tactic I have heard recommended to reduce side channel timing attacks, I'm not sure if it would help here)
Presto had a flag to disable (loading and display of) favicons. Seems like that would suffice here.
