1998677 - Inactive split view domain indicator should not include favicon (at least not for non-https sites)

Status: VERIFIED FIXED

(Firefox :: Tabbed Browser, defect, P1)

Description

[:Gijs (he/him)]

Some ground assumptions for this ticket:

1. the design shows the domain with favicon
2. favicons used to be displayed in the address bar (in all browsers)
3. all browsers stopped doing this because it enabled spoofing (cf. bug 588270 , bug 742419 )
4. the split view implementation shows insecure state indicators for websites that are not secure (e.g. http://httpforever.com/)

This combination means that the resulting experience for insecure sites can be confusing, because the site favicon can try to pretend the site is secure anyway, cf. attachment 9524721 [details] .

I think we should not show the favicon - at least in the non-https case. Even in the https case it can be a little spoofy (e.g. with lookalike domains and a "right" favicon), but given we display the domain name it shouldn't be any more spoofy than the address bar already is.

Comment 1

[:Gijs (he/him)]

Attachment: Bug 1998677 - don't show favicon for http sites in split view, r?#tabbrowser-reviewers

Comment 2

[Pulsebot]

Pushed by gijskruitbosch@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/32e687c9ab07
https://hg.mozilla.org/integration/autoland/rev/5c60febac2fa
don't show favicon for http sites in split view, r=tabbrowser-reviewers,dao

Comment 3

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/5c60febac2fa

Comment 4

[Alexandru Trif, Desktop Test Engineering [:atrif]]

Verified that the favicon is no longer displayed for http sites in split view with Firefox 147.0a1 (2025-12-02) on Windows 11, macOS 26 and Ubuntu 24.