There is another - and more simplified - version of Google favicons service:<p><a href="http://s2.googleusercontent.com/s2/favicons?domain_url=" rel="nofollow">http://s2.googleusercontent.com/s2/favicons?domain_url=</a><p>You can also pass a full URL to domain_url parameter, e.g.:<p><a href="http://s2.googleusercontent.com/s2/favicons?domain_url=http%3A%2F%2Fnews.ycombinator.com%2Fitem%3Fid%3D4028603" rel="nofollow">http://s2.googleusercontent.com/s2/favicons?domain_url=http%...</a><p>So no need to find the host name, just be sure to encode the URL<p>It also works with HTTPS connection.
This seems like it would make malicious links easier to seem legitimate. If I see the Google favicon, I might assume it was Google without even checking the URL.
I don't know how much of an issue this is in practice, but if the Google favicon service only requires the hostname then it will sometimes get the icon wrong. Any individual page can specify its own icon via a link element in the page header. (This is essential when multiple sites share the same host.) Is there any reasonable way to deal with that?
Or a simple JQuery Plugin I developed: <a href="https://github.com/dreur/JQuery-Showfavicons-Plugin" rel="nofollow">https://github.com/dreur/JQuery-Showfavicons-Plugin</a><p>It adds the possibility to say which hostnames are internal and external.