ABP doesn't block favicon requests

[Mike]

Hi,

I noticed that ABP doesn't seem to be able to filter favicons. I didn't think it was necessary anyway until I stumbled upon this site, which retrieves its favicon from gravatar.com.

I usually have a filter for gravatar avatars on third-party sites, and I was surprised to see this is my firewall logs: http://0.gravatar.com/blavatar/6bc93f43 ... 631f7?s=16.

Now considering it's a get request able to send custom parameters along with headers, useragent, referrer and IP, shouldn't ABP be able to block favicons just like any web bug? Favicons loaded from external sites seem to be pretty rare and not abused to track people, but still, the possibility is there.

[Mike]

I think I didn't choose the right title for this thread.

The point here is that ABP does not filter ALL web content, since it misses the site icon. Yet, one could still set up this icon so it is a web bug or something. So, shouldn't next version of ABP get a hand on site icons like it has on any other web content?

It seems like a design oversight, a well understandable one but that ought to be fixed. Or at least that's what I can tell from where I stand, which is outside of ABP's developer intents

[Wladimir Palant]

That would be bug 437014...

[Mike]

Oh great, it's already there. Though it has been for a while...and it depends on Fx, not ABP...

But I noticed this in the link you gave me:

From Wladimir Palant:
Right, I meant to file a bug on this but forgot. It only affects the legacy /favicon.ico request, favicons specified in the <link> tag go through content policies as expected.

However the site I linked to in my first post does use <link> tags to bypass ABP. Maybe something has changed since the time you posted over there? Or I'm missing something or whatever. Anyway it's good that you're already aware of this at least

[Wladimir Palant]

Yes, it has a <link> tag that Adblock Plus can block correctly. However, if that favicon is blocked the browser will fall back to http://trentsterling.wordpress.com/favicon.ico which happens to redirect to gravatar.com...

[Wladimir Palant]

Btw, setting browser.chrome.favicons preference to false will disable the unblockable legacy /favicon.ico requests while leaving the site icons intact (they are controlled by a different pref).

[Mike]

Great workaround, it doesn't block site icons on other sites either. Thanks!

I'll be looking through Firefox future release notes for a fix to that bug so that I know when to reenable this legacy feature. I guess some sites still legitimately use it.

[Wladimir Palant]

adblockplus.org does - I didn't bother inserting a <link> tag into all pages

[Mike]

Oh man, if even this site uses it, the list must be bigger than I thought. I'm just going to reenable it now, darn you :p