
Credit card skimmer masquerades as favicon - arunbahl
https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/
======
jcoc611
If I understand correctly, the browser would need to accept text/html as a
response to an <img /> tag. Why not just disable this/drop the response if it
isn't an image MIME?

