When “Hotlink Protection” is on the article image is downloaded by Discourse to display in the onebox but the favicon is not (in Firefox this is clear as there is an empty box):
How would you do that? And if someone had gone to lengths to see that you can’t download those images my response is either “serves them right” or “I will respect their wishes.”
All I’m asking is, would it make sense to treat favicons in the same way that other images are — download copies and serve them locally?
Test the current behaviour yourself, enable “Hotlink Protection” on a site behind Cloudflare and you will find that Discourse still downloads the main images for oneboxes…
They will as long as they are in a format your Discourse accepts. The example in OP is using .ico, which is an old format not allowed in Discourse by default. You can add it to the list in your site.
I added .ico to authorized extensions and rebuilt the HTML of a post and while the favicon wasn’t downloaded and served locally straight away it was when I checked it a couple of days later.