User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Steps to reproduce: 1. Go to https://shhnjk.azurewebsites.net/leaks.php Actual results: Received following requests. 1. /?link-shortcut-icon 2. /?link-apple-touch-icon-precomposed This isn't good because websites like Github are working heard to stop any external requests using CSP (For dangling markup protection). Expected results: No request to attack.shhnjk.com is leaked because of "Content-Security-Policy: default-src 'self'; base-uri 'self'; manifest-src 'self';". Also affects Chrome and Edge in some other ways.

Seems like a dupe of bug 1167259 and/or bug 1297156 to me? Or am I missing something? (Note: both of these are public)

Yeah, this is a dupe. But could you keep this bug private as other vendors are affected by other part of tag (not icons)?