This issue is not due to the TLP plugin (the topic title needs updating).
For example, you can see it currently on @adorfer’s site here, even though TLP is disabled.
Also, I’ve added the offending links on @adorfer’s site (German newspaper websites need to migrate to https 
) to my sandbox and the .ico download behaviour (and https) works normally. See further here: https://discourse.angusmcleod.com.au/c/tlp
The reason you were seeing some difference between safe mode and normal mode on that site is because TLP just replicates the existing issue with the .ico images in the topic list (in addition to the individual topics in which the issue occurs).
For anyone else who has an issue with favicon’s in oneboxes breaking https, there are five site settings that will affect whether a remote image is downloaded to Discourse, including favicon (.ico) images. You need to check all of them:
-
download remote images to local -
download remote images threshold -
download remote images max days old -
disabled image download domains -
authorized extensions
You need to rebake (‘rebuild html’) any post with an offending image to re-trigger the job that pulls hotlinked images once you’ve updated any of these settings.
After you’ve rebuilt the html, the job will run after however many seconds you’ve set as the editing grace period in your site settings (Default is 300 seconds, i.e. 5 mins).
You can see the progress of the job at yoursite.com/sidekiq, it’s called “PullHotlinkedImages” e.g.
Only once all of the above settings are set appropriately and this job has fully completed should you expect to see Discourse serving a local version of the hotlinked image, and any associated https issues resolve.