Why isn't stuff like this considered a security vulnerability in the browser and not require extra permissions from the user? I thought companies like Mozilla were supposed to be on the side of the users, but it often seems like they just make it easier and easier for companies to spy on users.
This particular cases is just an unintended consequence. They could put a limit on the connection duration, but you could also just slowly drip the bytes of a real favicon image (possibly augmented with junk metadata) and how would the browser know that it's not just a slow server connection?
These are favicons we are talking about. There is no legitimate reason for the browser to enable and permit this type of tracking without some permission from the user.
It's not really "permitting" it, that's just how the internet works. If you send the data slowly you can keep a connection open.
And fighting privacy violation is basically a game of cat and mouse. As soon as we figure out how to block their tactics, they evolve. If what I'm doing here became mainstream they would probably do something about it, but as it stands this is much easier to do using JS or something anyway (which people know violates their privacy but they leave it enabled because modern websites break down without it).
