We have an internal "Icon" image format which has the following format: width as u8, height as u8, raw bgra byte data. Its purpose is to be used internally. However, the decoder is exposed to the web: it is registered for the (made-up) mime type image/icon.

E.g. here's an image data url for a 2x2 icon with red, green, blue, yellow pixels: data:image/icon;base64,AgIAAP//AP8A//8AAP8A////
You could use this on your website and it would show in Firefox, but not in any other browser.

Do we want to expose this format? Can we find a different way of getting icon data from the system into UI image elements?

(In reply to Markus Stange [:mstange] from comment #0)

Do we want to expose this format?

Probably not.

Is there a way easily disable access from content?

Ah, we tried to disable access from content is bug 1222924, but I guess that bug missed at the least data uris.

Ah, if it's just data urls, that's not so bad then. I hadn't tested this with regular http(s) pages.