Onebox, favicon's and Cloudflare's "Hotlink Protection"

The following WordPress site is behind Cloudflare, currently with " Scrape Shield", “Hotlink Protection” off:

When “Hotlink Protection” is on the article image is downloaded by Discourse to display in the onebox but the favicon is not (in Firefox this is clear as there is an empty box):

This is the HTML source:

<img src="" 
     class="site-icon" width="64" height="64">

With “Hotlink Protection” on the favicon is not displayed due to the Cloudflare serving a “Error 1011, Access denied”.

I was also wondering, has the downloading and serving locally, of favicons been considered for cases where Cloudflare’s “Hotlink Protection” is on?

How would you do that? And if someone had gone to lengths to see that you can’t download those images my response is either “serves them right” or “I will respect their wishes.”

In the same way as is done for other images?

See this onebox:

The URL of the image of the bonfire is:

It was download by Discourse from the original site at this URL:

All I’m asking is, would it make sense to treat favicons in the same way that other images are — download copies and serve them locally?

Test the current behaviour yourself, enable “Hotlink Protection” on a site behind Cloudflare and you will find that Discourse still downloads the main images for oneboxes…

1 Like

They will as long as they are in a format your Discourse accepts. The example in OP is using .ico, which is an old format not allowed in Discourse by default. You can add it to the list in your site.


I added .ico to authorized extensions and rebuilt the HTML of a post and while the favicon wasn’t downloaded and served locally straight away it was when I checked it a couple of days later.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.