You can use the favicon cache as storage too, by redirecting users across domains. It's been proposed as a potential fingerprinting risk[0], and if a browser naively reuses the cache for incognito mode, it could be used to track users across browser profiles.
PNG has comment chunks tEXt, zTXt, and iTXt. You can have a completely normal image whose file is stuffed with as much content as you want. That is less fun, I suppose.
I complained about this style of writing on Medium a few months ago. The author of the article replied that it's a preferred style if you anticipate your writing to be read on a small smartphone screen. This kind of makes sense. Whether that article (or this one) was AI-generated or not, I don't know.
I'd imagine the (aggressive) caching of the favicon by browsers makes it a challenge, but you could generate the favicon dynamically, then have JS extract the sequentially. Basically streaming arbitraily large content to a webpage via favicons. Via blocks of 239 bytes.
It may be a fun, novel way to proxy webpages that are otherwise blocked. Though, i guess, the service rendering the favicons can just as easily be blocked then.
Just as a heads-up, if you do this and you want to use #rrggbb color codes or url(#id) links, you have to escape the # as %23, otherwise it gets parsed as a URL fragment and your SVG code is cut off there.
A neat improvement would be to make the decoder into a bookmarklet. This would avoid the overhead of serving the script. Of course you would rely on the user having the bookmarklet installed, but when you serve HTML you also rely on the user having a web browser installed.
55 comments
[ 2.0 ms ] story [ 52.5 ms ] threadIt's also pretty interesting to think how an attacker could exploit images on his behalf. Never thought that would be a way!!!
Thanks!
https://news.ycombinator.com/item?id=48606396
[0]: https://www.schneier.com/blog/archives/2021/02/browser-track...
Use this favicon.svg:
use this in your <head> to use a svg favicon: finally, use this in your <body> to extract it and add it to your document body:People's ability to discern is completely fried.
It may be a fun, novel way to proxy webpages that are otherwise blocked. Though, i guess, the service rendering the favicons can just as easily be blocked then.
This also allows you to use an emoji directly as a favicon, like so:
(HN isn't showing the emoji)cp index.html favicon.png
Related interesting project: https://github.com/EtherDream/web2img