alt.hn

6/20/2026 at 5:33:59 AM

I Stored a Website in a Favicon

 https://www.timwehrle.de/blog/i-stored-a-website-in-a-favicon/

by theanonymousone

6/20/2026 at 6:30:51 AM

Instead of going via pixels, why not use a SVG favicon and directly store markup inside it and extract it?

Use this favicon.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
    <circle cx="50%" cy="50%" r="50%" fill="orange"/>
    <p>hello HN!</p>
    </svg>
use this in your <head> to use a svg favicon:

    <link id="favicon" rel="icon" href="favicon.svg" type="image/svg+xml">
finally, use this in your <body> to extract it and add it to your document body:

    <script>
    fetch(favicon.href).then(r => r.text()).then(t => document.body.innerHTML += t.match(/<p[\s\S]*p>/)[0]);
    </script>

by Tepix

6/20/2026 at 9:22:45 AM

Regular expressions? Ugh. Encode it properly as XML in the correct namespace, load it so, and take it from that.

Or just serve the SVG file and use <foreignObject> to embed the HTML, and include <link rel="icon" href=""> inside it. In theory you should be able to define a <view id="icon"> and use <link rel="icon" href="#icon">, but in practice neither Firefox nor Chromium seems to be handling that properly in a favicon, which is disappointing.

by chrismorgan

6/20/2026 at 6:53:14 AM

Hey, yeah, I wrote the article. This (of course) would be more practical. Thanks for pointing it out. I wanted the payload to "live" in actual pixel data rather than hidden text inside an XML file. That’s why I went this way :)

by weetii

6/20/2026 at 6:54:47 AM

The ico file format allows multiple resolution icons, so a lot of data

by peter-m80

6/20/2026 at 6:59:19 AM

Good point, I might add a section in the article where I list alternative approaches. Thanks

by weetii

6/20/2026 at 8:32:39 AM

An SVG can embed raster images: base64 encoded bytes.

So you could layer this experiment: favicon is svg, that contains encoded raster, whose bytes are encoded html.

At the very least it would make a mindboggling CTF step.

by berkes

6/20/2026 at 6:44:19 AM

PNG has comment chunks tEXt, zTXt, and iTXt. You can have a completely normal image whose file is stuffed with as much content as you want. That is less fun, I suppose.

by Walf

6/20/2026 at 6:54:31 AM

Yes, that would also work, thanks for pointing it out

by weetii

6/20/2026 at 6:19:02 AM

You can use the favicon cache as storage too, by redirecting users across domains. It's been proposed as a potential fingerprinting risk[0], and if a browser naively reuses the cache for incognito mode, it could be used to track users across browser profiles.

[0]: https://www.schneier.com/blog/archives/2021/02/browser-track...

by sheept

6/20/2026 at 9:24:54 AM

My thoughts instinctively went to "this has to be being used for fingerprinting" when I read OPs blog. Are anti fingerprinting measures taking into account the use of the canvas api with favicons?

The link to the supercookie site is dead unfortunately.

by ai_fry_ur_brain

6/20/2026 at 6:44:36 AM

Wasn't this fixed or mostly fixed?

by koolala

6/20/2026 at 6:05:16 AM

Is this timing coincidence? I just submitted 1h (30 mins before this) ago a website I just made about storing your stock porfolio in a URL + favicon!

https://news.ycombinator.com/item?id=48606396

by franciscop

6/20/2026 at 7:22:11 AM

I found the agressively staccato, clearly LLM-generated content extremely difficult to read.

by esquivalience

6/20/2026 at 8:20:08 AM

for the first time in a while on HN, i disagree with the characterisation as AI-generated. at most it was drafted with an LLM, but the final output is pretty human to me.

they used the wrong it’s/its, made But. its own one-word sentence, didn’t capitalise HTML, and used “okayy” in parenthesis. all of this isn’t to criticise the writer - i enjoyed it more seeing these little imperfections that make up a blog post

by bstsb

6/20/2026 at 7:23:52 AM

It’s the new internet. So, so annoying.

by estetlinus

6/20/2026 at 7:28:23 AM

Yeah, but it's kinda weird. The typical LLM headers and bullet points are there, but it's like someone took an axe to the rest of the spew. I too would rather read someone's original bad writing than their bad editing of AI writing, but it's kinda interesting how this all shakes out.

by noduerme

6/20/2026 at 9:22:47 AM

It doesn't seem to be LLM, but reads like one. The author is German, maybe it's a language expertise thing, maybe he likes the LLM style (unrelated to his nationality).

But yeah, sentences that only have 3-4 word each feel like 3rd grade writing; I couldn't read it.

by netsharc

6/20/2026 at 7:49:59 AM

I wish people would include their prompts.

by bartvk

6/20/2026 at 7:25:52 AM

Which bit? The short sentences?

by scottmcdot

6/20/2026 at 8:46:39 AM

Fun Fact: You can use any inline SVG for a favicon and keep it right in the HTML document.

This also allows you to use an emoji directly as a favicon, like so:

  <link
    rel="icon"
    type="image/svg+xml"
    href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>(your emoji here)</text></svg>"
  />
(HN isn't showing the emoji)

by jorisw

6/20/2026 at 8:39:34 AM

I'd imagine the (aggressive) caching of the favicon by browsers makes it a challenge, but you could generate the favicon dynamically, then have JS extract the sequentially. Basically streaming arbitraily large content to a webpage via favicons. Via blocks of 239 bytes.

It may be a fun, novel way to proxy webpages that are otherwise blocked. Though, i guess, the service rendering the favicons can just as easily be blocked then.

by berkes

6/20/2026 at 8:45:10 AM

Love it. Did you see the old effort to store the page in the url? https://github.com/jstrieb/urlpages

by tetrisgm

6/20/2026 at 9:23:33 AM

That’s awesome. I took this a bit further a few years ago making a url only notepad quine that as you add data to it, creates itself. that can be saved as a bookmarklet. Have to watch the gif to understand

https://github.com/con-dog/serverless-architecture

by purple-leafy

6/20/2026 at 6:52:37 AM

I would have used a minimal service worker to unpack the web data and present it as if it were just a normal page being loaded.

by beardyw

6/20/2026 at 5:53:07 AM

Pretty cool tbh!!! Would have loved seeing the decoder code!!!

It's also pretty interesting to think how an attacker could exploit images on his behalf. Never thought that would be a way!!!

Thanks!

by superjose

6/20/2026 at 6:26:02 AM

I guess the decoder is more than the 208 bytes that this page uses..

But maybe you can misuse this and store a session ID / cookie in a favicon (give everyone a unique one) and survive some cookie cleanup and evade privacy restrictions?

Maybe you can still make it that the favicon looks like an image a little to not raise suspicion?

Favicons seem to be cached across private browsing sessions. Oh no

by schobi

6/20/2026 at 6:30:56 AM

Very cool. I wonder is it possible to make a simple game with also leveraging the webassembly?

by bozdemir

6/20/2026 at 6:56:22 AM

Yes, probably. I guess, you’d need a bigger favicon since the minimal Rust WASM binary is around 20KB+ (?)

by weetii

6/20/2026 at 8:02:15 AM

Is it cake? Game for devs.

by neon_me

6/20/2026 at 7:01:14 AM

Fascinating concept! Thanks for sharing this!

by ab_wahab01

6/20/2026 at 7:28:54 AM

Would have been more fun if the blogpost was rendered from the favicon.

by scoot

6/20/2026 at 6:54:37 AM

very cool and interesting after reading just the title I wrongly assumed this would be about svg

by fitsumbelay

6/20/2026 at 7:00:05 AM

Surprised that a minimal "website" only requires a small image = few pixels = few bytes to store it? Um, ok.

by jibal

6/20/2026 at 8:03:31 AM

[dead]

by pizzaballs

6/20/2026 at 5:36:07 AM

[flagged]

by anujshashimal98

6/20/2026 at 6:48:22 AM

Amazing!

by shaharamir