Created attachment 530737 [details] PoC (zipped) Michael Jordon of Contextis reports that users can be fingerprinted through their installed applications using a timing attack based on moz-icon: and WebGL. Warning: this testcase may result in a crash on Windows (bug 655364)
Will look ASAP... but it's Friday 5:30 pm here.
I assume if we fix the generic cross-origin issue in bug 655987 then access to moz-icon: images should be blocked as a matter of course.
Now that bug 655987 is fixed this doesn't work any more (I checked with bjacob and tested locally). PoC is already public other places.