It took me a while to track down, a clients website was compromised. The attacker gained access to the site, and stuffed a http redirect in favicon.ico.
This seems to work on all browsers, including Safari Mobile as well. I am unable to determine a reason why favicon.ico would decode anything by an image format. It is crafty place to store a redirection, the last place I looked.
What makes this so interesting, is that a first visit will redirect, but then the icon is cached. You will end up thinking it was a fluke, as the redirect will not execute again, unless you clear caches of icons.
Can you provide an example? Where does favicon.ico being HTML come into the play? Your description talks about favicon.ico being a HTTP redirect, which would mean that the *contents* of favicon.ico are never looked at, only the headers. To what does favicon.ico redirect?
Providing either an example or a clearer description would make this easier to understand.
Here is the latest exploit I found on a server:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<p>The document has moved <a href="http://22.214.171.124/in.html?s=sg_err">here</a>.</p>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/126.96.36.19935 mod_jk/1.2.25 PHP/5.2.5 Server at example.com Port 80</address>
I can not replicate it here, and I do not have physical access to the above server.
That is a standard HTTP redirect, which browsers *should* follow when requesting the favicon. I don't see any evidence that WebKit is doing anything incorrect here. Feel free to reopen this bug report if you can show that what WebKit is doing is somehow incorrect.
Are you perhaps saying that a redirect for the icon redirects the main page instead?
It is hard for me to say much at all, since I do not have access to the exploited machine I noticed this on. I understand a request for favicon.ico should redirect. I do not think that is what is happening.
From the above, it doesn't necessarily follow that the content of favicon is parsed - if may be an HTTP header of the response causing a redirect.
So, it is not clear at all what is happening here, and why it is related to a security breach.
Image file formats cannot have redirects inside them. The header of the response that serves the image can have a HTTP redirect, which the browser should follow. Can you please provide a URL that demonstrates an actual problem? There's not much point in speculating about a problem that there is no evidence of.
I will have to do more research and build a test case, please close for now, and as I have time, I will update this report. Thank you.