locked Re: Favicon?


Michael Pavan
 

Larry,

On Jan 18, 2020, at 6:31 PM, Laurence Marks <@LarryMarks> wrote:

Michael, Wikipedia is not always an authoritative source.
Agreed, of course.
Having never heard of them, I took a quick look there.
I understand Wikipedia is written by anybody, not necessarily experts - and even experts can be wrong.

• The "danger" is that someone might create a favicon that looks like a padlock and causes them to think the site is secure. You and I would not do that, of course, on our Groups.io website.
You seem to agree that someone, other than you or I, could.

• It would be configurable for each group, of course. If you chose not to configure it for your group, there would be no link, and you would be no less secure than you are today.
I have no objections to them, as long as there was a simple setting to not permit them in my groups.

• There's a concern that a favicon in the root would somehow make it easier for malicious folks to compromise the website. Favicons for groups.io would not likely be implemented that way, of course, They would use the alternate syntax that looks something like this:
<link rel="icon" type="image/png" href="https://groups.io/g/NC-LTRGs/favicon.png" /> which just gets the bad guy to the group that designed the icon. An even more secure option would be to have all the favicons in one spot, referenced by group name or group number, like this:
<link rel="icon" type="image/png" href="https://groups.io/i/12345favicon.png" />
This is above my IT competence, but I understand you say that they are indeed a legitimate concern.

• Wikipedia also mentions that the "rel" attribute mentioned above has not been standardized. There's a difference between what W3C accepts and what browsers implement. That's an argument for purists, not realists. W3C deprecated <b> for bold at least a decade ago, recommending the much-longer-to-type <strong> attribute, but every browser still accepts <b>. Same with the open-in-new-tab link attribute target="_blank". W3C says don't use it, but there are billions of web pages that do, so the attribute will be accepted forever..
Again, this is above my IT competence.
I only included this concern in what I quoted as it was in the middle of it, and I didn't want to 'interrupt' the short quote so that it might appear I was manipulating its meaning.

• There's a longstanding criticism that favicons are inefficient because browsers request them on every web page and are hence wasting bandwidth on every site that lacks them. I'm afraid that horse has already left the barn. There is no way you are going to get Chrome, Edge, Firefox, Safari, Opera, Yandex, Brave, et al. to stop checking for favicons.
You seem to confirm this could/should be a concern.

Michael

Join main@beta.groups.io to automatically receive all group messages.