verify lack of favicon leaks that exist in browser-laptop

[diracdeltas]

currently there are a bunch of places in browser-laptop UI where favicons are loaded remotely: for instance in about:bookmarks, the bookmarks toolbar, and in the back button context menu. This is a big privacy issue because a network attacker can get a partial view of someone's browsing history whenever they open Brave (without them navigating to the site). we should make sure these leaks are fixed here.

[bbondy]

@diracdeltas @jumde this seems to be an issue with an assumption that browser-laptop is the same as Chromium here. Was this verified to be an issue here or is just a guess? If just a guess, can this claim be verified as being an issue here before being marked as sec-high and added to milestone Releasable builds? Thanks.

[diracdeltas]

@bbondy it was just a guess. i will change the title to "verify lack of favicon leaks"

[jumde]

Verified its not a problem in brave-core -

STR -

1. Created bookmarks for multiple sites: adobe.com | apple.com | cnn.com
2. Cleared browsing history
3. Close Brave
4. Reopen Brave and open Bookmarks manager

The favicons were loaded without any requests to these domains. cc: @diracdeltas

[diracdeltas]

@jumde please also verify:

1. favicons in new tab page are not loaded remotely
2. favicons in context menu when clicking browser back button are not loaded remotely

[diracdeltas]

also bookmarks in the browser menu and bookmarks in the bookmarks toolbar when 'Show Bookmarks Bar' is enabled

[jumde]

Verified that favicons in new tab | back button context menu | browser menu and bookmarks bar are loaded locally. The bitmaps are loaded from favicons db.

[diracdeltas]

great, closing this for now

[bbondy]

Thanks verifying @jumde and @diracdeltas