Hacker News
new|best

I Stored a Website in a Favicon

(timwehrle.de)
313 points by theanonymousone 5 days ago|109 comments
Tepix 5 days ago
Instead of going via pixels, why not use a SVG favicon and directly store markup inside it and extract it?

Use this favicon.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
    <circle cx="50%" cy="50%" r="50%" fill="orange"/>
    <p>hello HN!</p>
    </svg>
use this in your <head> to use a svg favicon:

    <link id="favicon" rel="icon" href="favicon.svg" type="image/svg+xml">
finally, use this in your <body> to extract it and add it to your document body:

    <script>
    fetch(favicon.href).then(r => r.text()).then(t => document.body.innerHTML += t.match(/<p[\s\S]*p>/)[0]);
    </script>
montebicyclelo 5 days ago
"why not alternative", would be better framed as, "here's a fun variation" — because both approaches are just playing around with technology, for fun / curiosity / exploration. Storing in the pixels is a fun approach, resulting in something Rube Goldberg-esque.
weetii 5 days ago
Hey, yeah, I wrote the article. This (of course) would be more practical. Thanks for pointing it out. I wanted the payload to "live" in actual pixel data rather than hidden text inside an XML file. That’s why I went this way :)
peter-m80 5 days ago
The ico file format allows multiple resolution icons, so a lot of data
weetii 5 days ago
Good point, I might add a section in the article where I list alternative approaches. Thanks
dodslaser 4 days ago
Or just put the entire website in a <foreignObject> and render it in the favicon.
econ 4 days ago
You can use any image format. Try using an animated gif.

I don't know what this is but it's huge.

https://news.ycombinator.com/favicon.ico

cogman10 5 days ago
If you wanted to play around and do something a little more challenging (though you'd be bulking up the javascript) then one thing you could do is play with a bespoke html compression. You could store the tags in 4 bits `0001` first bit, tag open or close, and the remaining 3 bits indicate which tag is being used (div/p/b/h1/etc). With at least one of the values like `0111` indicating text is following and another tag like `1111` indicating that an unsupported tag follows.

If you extend it out to 8 bits you can pretty nearly store all the html tags (it'd give you 256 tags to play with).

chrismorgan 5 days ago
Regular expressions? Ugh. Encode it properly as XML in the correct namespace, load it so, and take it from that.

Or just serve the SVG file and use <foreignObject> to embed the HTML, and include <link rel="icon" href=""> inside it. In theory you should be able to define a <view id="icon"> and use <link rel="icon" href="#icon">, but in practice neither Firefox nor Chromium seems to be handling that properly in a favicon, which is disappointing.

Tepix 5 days ago
It's a hack. A one-liner. Go crazy with it. Or touch grass ;-)

Oh yeah and favicon isn't part of the DOM.

decendegen 4 days ago
lol
reichstein 5 days ago
Just because it's my windmill to tilt at: `[\s\S]` can be written shorter and more precisely as `[^]`.
MomsAVoxell 5 days ago
[\s\S] vs. [^]

A quixotic windmill tilt if ever I saw one.

GoToRO 5 days ago
ai says [^] is not portable; I did not test it. Too bad, I'll stick to [\s\S].
spiesd 5 days ago
Too bad, indeed. It's well-defined in javascript (and thus, appropriate in this admittedly niche context). It's non-portable across different regex engines, yes.
GoToRO 4 days ago
exactly what I said
berkes 5 days ago
An SVG can embed raster images: base64 encoded bytes.

So you could layer this experiment: favicon is svg, that contains encoded raster, whose bytes are encoded html.

At the very least it would make a mindboggling CTF step.

slash0x4 4 days ago

  <svg xmlns="http://www.w3.org/2000/svg">
    <circle cx="50%" cy="50%" r="50%" fill="orange"/>
    <p>hello HN!</p>
    </svg>
sheept 5 days ago
You can use the favicon cache as storage too, by redirecting users across domains. It's been proposed as a potential fingerprinting risk[0], and if a browser naively reuses the cache for incognito mode, it could be used to track users across browser profiles.

[0]: https://www.schneier.com/blog/archives/2021/02/browser-track...

ai_fry_ur_brain 5 days ago
My thoughts instinctively went to "this has to be being used for fingerprinting" when I read OPs blog. Are anti fingerprinting measures taking into account the use of the canvas api with favicons?

The link to the supercookie site is dead unfortunately.

koolala 5 days ago
Wasn't this fixed or mostly fixed?
Retr0id 5 days ago
> You still need a tiny bootstrap loader to decode the image.

Nope, you can do it all in a single file with an html/png polyglot (and nowadays you can get better compression ratios with newer formats like webp).

https://web.archive.org/web/20120801001616/http://daeken.com...

gildas 5 days ago
You can even make the file compatible with ZIP (and PDF) on top of that, see https://github.com/gildas-lormeau/Polyglot-HTML-ZIP-PNG/raw/... (and https://github.com/gildas-lormeau/Polyglot-HTML-ZIP-PNG)
Walf 5 days ago
PNG has comment chunks tEXt, zTXt, and iTXt. You can have a completely normal image whose file is stuffed with as much content as you want. That is less fun, I suppose.
weetii 5 days ago
Yes, that would also work, thanks for pointing it out
franciscop 5 days ago
Is this timing coincidence? I just submitted 1h (30 mins before this) ago a website I just made about storing your stock porfolio in a URL + favicon!

https://news.ycombinator.com/item?id=48606396

Tagbert 5 days ago
Then there is this one. Seems to be a trend.

“Pong in S Favicon” https://news.ycombinator.com/item?id=48608681

esquivalience 5 days ago
I found the agressively staccato, clearly LLM-generated content extremely difficult to read.
k2enemy 5 days ago
Halfway through I was sure that there would be a reveal at the end of the article that the article itself was stored in the site's favicon, thus explaining the short, terse sentences. I was genuinely disappointed when I realized it wasn't. Missed opportunity!
bstsb 5 days ago
for the first time in a while on HN, i disagree with the characterisation as AI-generated. at most it was drafted with an LLM, but the final output is pretty human to me.

they used the wrong it’s/its, made But. its own one-word sentence, didn’t capitalise HTML, and used “okayy” in parenthesis. all of this isn’t to criticise the writer - i enjoyed it more seeing these little imperfections that make up a blog post

fortuitous-frog 5 days ago
Looks largely AI-written, with some human edits: https://www.pangram.com/history/9afe7542-1085-4264-9691-2172...

FWIW -- I'm not as repulsed by it as the parent comment. But I do want to substantiate that it _is_ heavily LLM-written.

(If you're unfamiliar, Pangram has garnered a reputation as the leading LLM-detector, with a minimal rate of false positives; IME this has come with the tradeoff of being easy to manipulate/tweak your way into turning an LLM-generated piece of text into reporting a false negative, but for most folks that's worthwhile.)

darianvc 5 days ago
People do be having too much time...

Is the navigation of the site also AI generated? This doesn't make any sense and proves why these AI detectors don't work

MomsAVoxell 5 days ago
I have been writing for a long time, and using AI for as long as it was available to me, and I have noticed that I get accused of being an AI more and more - and I do not think that is because I am an AI, but because we are all being consumed with the AI mind-set, and thus the AI is taking over our thinking - so perhaps subconsciously, I am indeed formulating my thoughts in a more AI-centric manner, prompting the association across the vast distances of the internet by other human beings (- or, AI) of my conscious thought, with an artifice.

This is a banal insult, but it is also a dire warning wherever I see it - these days, people moaning about being AI may as well just be AI - automatic ignorance - but .. I do have to wonder.

Am I, AI?

phyzome 4 days ago
I wouldn't trust Pangram too much. I've seen it give "100% LLM-written, high confidence" to multiple 100% human written articles (high confidence).
benhill70 5 days ago
I like the way it's written. I often write in a similar manner and I have never used LLMs to generate an writing for me. I have written exactly this way at work.

Too me, the author is just trying to get to the point. They know people start skimming if there is too much text.

SamBam 5 days ago
> The important catch

> The favicon doesn't actually contain the whole website itself.

This is the kind of thing that is extremely idiomatic LLM speak. There's nothing particularly wrong about it per se, but it just makes everyone who is familiar with LLMs say "oh, it's written by an AI" and it just becomes disappointing.

themadturk 4 days ago
I complained about this style of writing on Medium a few months ago. The author of the article replied that it's a preferred style if you anticipate your writing to be read on a small smartphone screen. This kind of makes sense. Whether that article (or this one) was AI-generated or not, I don't know.
stevenhuang 4 days ago
There should be a pathology for thinking things must be LLM generated when it's simply not always the case.

People's ability to discern is completely fried.

esquivalience 4 days ago
Do you think I was wrong about this one? Maybe.

I'm usually fairly forgiving about it and like to err on the side of being generous to the individual but in this case it seemed very clear to me and got in the way of the message. I noticed the .de domain and wondered whether it might be AI translation, But I don't think it was, and in my experience, AI translation doesn't give the same uncanny valley vibes.

istjohn 5 days ago
I found the writing engaging and enjoyable to read.
estetlinus 5 days ago
It’s the new internet. So, so annoying.
scottmcdot 5 days ago
Which bit? The short sentences?
bonoboTP 5 days ago
Not just the length but the structure, the way the headlines are phrased, the use of "honestly", the "not X but Y", many things cumulatively, not one particular thing in itself. If you work a lot with LLM writing, you notice. Same way you recognize the writing style of famous authors. It's never one particular thing but many.
noduerme 5 days ago
Yeah, but it's kinda weird. The typical LLM headers and bullet points are there, but it's like someone took an axe to the rest of the spew. I too would rather read someone's original bad writing than their bad editing of AI writing, but it's kinda interesting how this all shakes out.
darianvc 5 days ago
Might stop using bullet points for not being flagged as AI lol

"Very small" -> yeah, this header is mostly AI generated. No hate against the author but this doesn't make any sense as header

netsharc 5 days ago
It doesn't seem to be LLM, but reads like one. The author is German, maybe it's a language expertise thing, maybe he likes the LLM style (unrelated to his nationality).

But yeah, sentences that only have 3-4 word each feel like 3rd grade writing; I couldn't read it.

weetii 5 days ago
Hey, I've always written like this. In school I couldn't stand subordinate clauses and long sentences because I'd lose my train of thought. But yea, I've noticed that people often find it hard to read so I'm going to work on that
SoMomentary 5 days ago
I actually feel the opposite of what most people are saying here. I thought your writing style was great. It felt like you respected my time as a reader and got to the fucking point.

I thought the lack of fluff was refreshing!

darianvc 5 days ago
You're good fr. People on here who try to make their day about being AI detectives. You're trying to work on it and that's what matters
cubefox 5 days ago
Did you use an LLM to write at least part of the article?
bartvk 5 days ago
I wish people would include their prompts.
bonoboTP 5 days ago
Agreed. Disappointing that more people don't notice it's AI.
MomsAVoxell 5 days ago
Oh, I am so aligned with this mentality:

    A monitor is storage.

    A keyboard is storage.
Forum posts are storage. Markov-approved tweaks in an edit, over time, certainly enough for quite a lot of storage. Dual-use storage to boot, since .. you know .. sometimes the comments are socially interesting.

Best thing is, nobody really knows if their chicken casserole recipe isn't just a handle to a carefully constructed GUID pointing across to .. lets say, for humor .. a thousand different forum postings ...

I do have to wonder if the author is familiar with PoC||GTFO, for this is certainly a technique one will find deep within the depths of the Alchemist Owls' holy tomes...

drob518 5 days ago
Codes within codes. Wheels within wheels.
jorisw 5 days ago
Fun Fact: You can use any inline SVG for a favicon and keep it right in the HTML document.

This also allows you to use an emoji directly as a favicon, like so:

  <link
    rel="icon"
    type="image/svg+xml"
    href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>(your emoji here)</text></svg>"
  />
(HN isn't showing the emoji)
Timwi 4 days ago
Just as a heads-up, if you do this and you want to use #rrggbb color codes or url(#id) links, you have to escape the # as %23, otherwise it gets parsed as a URL fragment and your SVG code is cut off there.
clusmore 4 days ago
I'd love to see you try serving the exact same file for both but the trick is that you need to return different Content-Type headers depending on what is requested. When the browser requests /favicon from a navigation event it will use Accept: text/html etc, you return the file with Content-Type: text/html and inside the response you have a <link rel="favicon" href="/favicon" type="img/png"> literally the same resource but the browser will now likely fetch with Accept: image/... and you could return the same file with Content-Type: image/png and the same resource will get used for both. Unless the browser caches the response, I feel like this would work.

If you don't control the headers of your webserver (eg GitHub Pages) I would settle for a symlink favicon.png that just links back to favicon.html which I think would trick the server into returning different Content-Types.

inglor 5 days ago
Cool! Here is a GH repo demonstrating unbounded favicons I made 11 years ago - it crashes some browsers - wanna guess how long it took each one to fix it :D https://github.com/benjamingr/favicon-bug
cfrs 4 days ago
That reminded me of Inigo's "real pixel coding" https://www.youtube.com/watch?v=FvS_DG8yIqQ

A 256b intro coded by placing pixels in photoshop and saving into an exe.

econ 4 days ago
I played with this once hoping the browser wouldn't care what the file was.

The plan came from an experiment from long ago where I put 1x1 images at the end on my pages, the images loaded from websites my page linked to. Preloading the assets made those pages load much faster. Sadly it also broke pages that served "hot linking images not allowed" text on images.

The new plan was to have a javascript or css file called favicon.ico so that the browser would load it at the same time the html was requested. Then one wouldn't have to wait for the html to be parsed for the second round trip to happen.

Sadly it didn't work.

tetrisgm 5 days ago
Love it. Did you see the old effort to store the page in the url? https://github.com/jstrieb/urlpages
purple-leafy 5 days ago
That’s awesome. I took this a bit further a few years ago making a url only notepad quine that as you add data to it, creates itself. that can be saved as a bookmarklet. Have to watch the gif to understand

https://github.com/con-dog/serverless-architecture

tetrisgm 4 days ago
I saw one before that was doing this and saved the whole thing as a base64 stream. So the url would dynamically update and have all its data. Pretty cool. I suppose the main obstacle is now where do I load the site from, and how much can be stored in itself or an image :)
purple-leafy 4 days ago
That’s a pretty clever idea to treat it as a stream, why didn’t I think of that…
tetrisgm 4 days ago
Lmk if you end up pushing this further!
1vuio0pswjnm7 4 days ago
Not a new idea of course. For example, back in 2000, someone stored deCSS in a favicon

https://web.archive.org/web/20010408040524if_/http://decss.z...

To extract

   dd bs=1 skip=2238 < favicon.ico
1vuio0pswjnm7 2 days ago
*2001
berkes 5 days ago
I'd imagine the (aggressive) caching of the favicon by browsers makes it a challenge, but you could generate the favicon dynamically, then have JS extract the sequentially. Basically streaming arbitraily large content to a webpage via favicons. Via blocks of 239 bytes.

It may be a fun, novel way to proxy webpages that are otherwise blocked. Though, i guess, the service rendering the favicons can just as easily be blocked then.

echoangle 5 days ago
> The length header is important because the image itself may contain unused pixels at the end. If there's no length value, there's no way to know where the real payload stops.

Not really, can’t you just pad with 0 bytes and stop reading when you encounter one that’s not part of the current Unicode codepoint?

zahlman 5 days ago
Zero bytes won't ever be part of a multi-byte character in UTF-8. They simply represent code point 0 (which is valid, but wouldn't appear in normal text) by themselves.
echoangle 4 days ago
Ah even better so you can just use null terminated strings
jcubic 4 days ago
Does't work for me. It rendered some garbage:

:f3=Ygbukte!in"c"Hbviann:1h3> =n= " Exgtyvhkle znt%pfsdafipg thfivlmu "vas dcdpeed hrondbvjbno"rixfls, ;.q>

I use Helium on Linux with Polish locale.

herodoturtle 5 days ago
How long before someone ports DOOM into a favicon? ^_^

(For the technical gurus here, would that even be possible?)

shakna 5 days ago
You can already play it in a favicon [0].

But as favicons can be svgs, and let you store foreign objects... You could store the whole thing in the favicon, but might also need a line of JS to extract it.

[0] https://vidferris.github.io/FaviconDoom/

drob518 5 days ago
3… 2… 1…
Gabrys1 5 days ago
Have an index.html that's also (byte-to-byte equal) served as favicon.ico. If that page "works" and the favicon doesn't show garbage, it is a website stored in a favicon (by my standards).
divvsaxena 5 days ago
This is one of those projects that's completely impractical but makes the web more interesting. I love seeing people explore weird constraints just to see what's possible.
scoot 5 days ago
Would have been more fun if the blogpost was rendered from the favicon.
titularcomment 5 days ago
Painful read.

Related interesting project: https://github.com/EtherDream/web2img

superjose 5 days ago
Pretty cool tbh!!! Would have loved seeing the decoder code!!!

It's also pretty interesting to think how an attacker could exploit images on his behalf. Never thought that would be a way!!!

Thanks!

schobi 5 days ago
I guess the decoder is more than the 208 bytes that this page uses..

But maybe you can misuse this and store a session ID / cookie in a favicon (give everyone a unique one) and survive some cookie cleanup and evade privacy restrictions?

Maybe you can still make it that the favicon looks like an image a little to not raise suspicion?

Favicons seem to be cached across private browsing sessions. Oh no

RetroTechie 5 days ago
I'm tempted to think that only someone working for a company in the advertising industry could come up with that.

Must EVERYTHING be polluted by ad tech & privacy intrusions?

brtkwr 5 days ago
Hmm this is cool but what are the practical use cases?

It didn’t load first time round on my browser (Brave) without disabling its prevent tracking feature…

MomsAVoxell 5 days ago
Practical use cases for stashing data in places people least expect it?

Wallet password.

New ecosystem for the kids.

That's two, at least.

beardyw 5 days ago
I would have used a minimal service worker to unpack the web data and present it as if it were just a normal page being loaded.
terrycody 4 days ago
Any real usage scenarios for this? I mean, can it be used as anti-filter or whatever things.
frankzero 5 days ago
I personally won't do things this way, but this is really cool and I could see the applications already.
soanvig 5 days ago
Honestly it didn't interest me, but I do remember from back in the days full websites rendered by a browser from... Empty files. https://mathiasbynens.be/notes/css-without-html
charcircuit 5 days ago
You can literally just use the file itself as the favicon. There is no need to over complicate it.

cp index.html favicon.png

Izmaki 5 days ago
Wait 'til the author discovers that you can use ping (ICMP) to transfer data, too! :)
bozdemir 5 days ago
Very cool. I wonder is it possible to make a simple game with also leveraging the webassembly?
netsharc 5 days ago
https://violet78910.github.io/faviconSnake/
weetii 5 days ago
Yes, probably. I guess, you’d need a bigger favicon since the minimal Rust WASM binary is around 20KB+ (?)
alex_suzuki 5 days ago
You might find my tinkering useful: https://strich.io/blog/posts/embedding-webassembly-in-qrcode... A QR code isn’t much different from a favicon I guess. :)
laladrik 5 days ago
The link is 404
alex_suzuki 5 days ago
It’s not for me?
laladrik 5 hours ago
you're right. The problem is with my Android application. Clicking the link through the website leads to a page
momoraul 5 days ago
The browser already asks for the favicon on every page. Might as well put it to work.
aaubry 5 days ago
A neat improvement would be to make the decoder into a bookmarklet. This would avoid the overhead of serving the script. Of course you would rely on the user having the bookmarklet installed, but when you serve HTML you also rely on the user having a web browser installed.
franze 5 days ago
also https://pong-in-a-favicon.franzai.com/ for further favicon (mis)use
franze 5 days ago
and the obvious Doom Example https://vidferris.github.io/FaviconDoom/favicondoom.html
ab_wahab01 5 days ago
Fascinating concept! Thanks for sharing this!
abc123abc123 5 days ago
Bravo Maestro! Wonderful performance! =)
fitsumbelay 5 days ago
very cool and interesting after reading just the title I wrongly assumed this would be about svg
jibal 5 days ago
Surprised that a minimal "website" only requires a small image = few pixels = few bytes to store it? Um, ok.
neon_me 5 days ago
Is it cake? Game for devs.
deemwar 5 days ago
looks good
shaharamir 5 days ago
Amazing!
fvckaigotohell 5 days ago
AI generated garbage. Blocked