Favicon

This side effect no longer works, as all modern browsers load the favicon file to display in their web address bar, regardless of whether the site is bookmarked.

[6]In 2003, the .ico format was registered by a third party with the Internet Assigned Numbers Authority (IANA) under the MIME type image/vnd.microsoft.icon.

[10] RFC 5988 established an IANA link relation registry,[11] and rel="icon" was registered in 2010 based on the HTML5 specification.

[1][3] The ICO file format article explains the details for icons with more than 256 colors on various Microsoft Windows platforms.

The standard implementation uses a link element with a rel attribute in the section of the document to specify the file's format, name and location.

If links for both PNG and ICO favicons are present, PNG-favicon-compatible browsers select which format and size to use as follows.

As of iOS 5, Apple mobile devices ignore the HTML5 recommendation and instead use the proprietary apple-touch-icon method detailed below.

The Google Chrome web browser however, will select the closest matching size from those provided in the HTML headers to create 128×128 pixel application icons, when the user chooses the Create application shortcuts... from the "Tools" menu.

On Apple iPhones and iPads, as well as Android mobile devices, users can pin web pages as shortcuts icons to their home screen.

It allows the developer to not only provide the icons but also a short name for display on the home screen as well as theme colors.

[43][44] Due to the need always to check for it in a fixed location, the favicon can lead to artificially slow page-load time and unnecessary 404 entries in the server log if it is nonexistent.

By changing the favicon to a familiar padlock image an attacker can attempt to trick the user into thinking they are securely connected to the proper website.

[47] Since favicons are usually located at the root of the site directory on the server, they can be employed with some reliability to disclose whether a web client is logged into a given service.

This works by making use of the redirect-after-login feature of many websites, by querying for the favicon in a redirect-after-login URL and testing the server response to discern whether the user is given the requested resource (which means they are logged in), or instead redirected to the login page (which means that they are not logged into the service).

Wikipedia 's favicon, shown in Firefox