Safari is connecting to every website in the Favorite Bookmarks Bar, even if you don't open any of them. That's not really privacy.

[Adora]

Hello,

since I am using the firewall Little Snitch again, I recognized directly after launching, Safari is connecting to all websites in the favorites bar in every profile I am opening a window for. I think it's just fetching some image as avatar for the websites. This isn't new, but I mostly allow every outgoing connection for browsers and forget about it.

If I would block those connections the whole websites are not working anymore.

Isn't this a privacy breach? If you don't use a VPN service and/or 3rd-party-DNS provider, your internet provider always would know what are your favorite websites. Even if you just saved a website there just to not forget it and don't use it for a longer time, it would look like it's used daily for the provider and website owner.

Even worse is the new Password App in macOS 15. It does the same thing for every website that has a saved password in it. But at least I can block all outgoing connections of that App and it still works.


I am also wondering why Safari is the only browser that if you really want to confirm any connection manually in such a firewall like Little Snitch, you can see the website address and not just an IP-address like it is the case in any other browser for almost anything.

But that's a good thing because I can use Safari that way to block hidden things on websites forever that are not necessary for their functionality and I also wouldn't have even noticed that it ist loading something from the website in the favorite bookmarks bar.

 

[bogdanw]

Simple solution: right-click on the Favorites bar, choose “Show Text Only”.

 

[svenmany]

Hello,

since I am using the firewall Little Snitch again, I recognized directly after launching, Safari is connecting to all websites in the favorites bar in every profile I am opening a window for. I think it's just fetching some image as avatar for the websites. This isn't new, but I mostly allow every outgoing connection for browsers and forget about it.

If I would block those connections the whole websites are not working anymore.

Isn't this a privacy breach? If you don't use a VPN service and/or 3rd-party-DNS provider, your internet provider always would know what are your favorite websites. Even if you just saved a website there just to not forget it and don't use it for a longer time, it would look like it's used daily for the provider and website owner.

Even worse is the new Password App in macOS 15. It does the same thing for every website that has a saved password in it. But at least I can block all outgoing connections of that App and it still works.


I am also wondering why Safari is the only browser that if you really want to confirm any connection manually in such a firewall like Little Snitch, you can see the website address and not just an IP-address like it is the case in any other browser for almost anything.

But that's a good thing because I can use Safari that way to block hidden things on websites forever that are not necessary for their functionality and I also wouldn't have even noticed that it ist loading something from the website in the favorite bookmarks bar.

The browser is probably just looking up the icon that shows in the tab (called a "favicon"). As @bogdanw recommends, turning those off should stop that. Some browsers do not refresh favicons very often. I forget the details, but I've struggled in the past to get Chrome to refresh the displayed favicon of the site I was developing.

The password program might be doing the same. In 1Password there is an option to not show website icons. I always select that.

 

[chown33]

If you're using iCloud Private Relay, then the privacy of fetching favicons should be the same as visiting websites when Private Relay is enabled.

About iCloud Private Relay - Apple Support

iCloud Private Relay — part of an iCloud+ subscription — helps protect your privacy when you browse the web in Safari.

support.apple.com

If you're not using Private Relay, then Safari's favicon privacy should again be the same as when you're visiting websites with Private Relay disabled.

If Safari fails to use Private Relay for favicons despite it being enabled for general web browsing, then that would be a security bug, and should be reported to Apple.

 

[mblm85]

You have "Preload Top Hit in the background" set in your Safari preferences.

 

[svenmany]

You have "Preload Top Hit in the background" set in your Safari preferences.

Don't think it's related. That setting relates what happens as you're doing web searches.

 

[mblm85]

Don't think it's related. That setting relates what happens as you're doing web searches.

Just found this:

Safari Search & Privacy

Safari Search is designed to protect your information and enable you to choose what you share.

support.apple.com

"With Preload Top Hit enabled, as soon as Safari determines a Top Hit based on your bookmarks and browsing history, Safari will begin loading the web page in the background. If you disable this option, the page will load normally."

 

[svenmany]

Just found this:

Safari Search & Privacy

Safari Search is designed to protect your information and enable you to choose what you share.

support.apple.com

"With Preload Top Hit enabled, as soon as Safari determines a Top Hit based on your bookmarks and browsing history, Safari will begin loading the web page in the background. If you disable this option, the page will load normally."

Yeah, if you begin typing in the URL bar, Safari will try to figure out what you're looking for based on that stuff you mention. But the OP is not doing a search; they're just opening a browser window.

 

[koelsh]

The irony I see is it's supposed to be grabbing the favicon/iOS bookmark icon for those sites but the majority in mine have only ever shown a generic icon with the first letter of the site on a random color

Thought this might explain Safari's rampant abuse of my 16GB of RAM but "preload top hit" has been disabled for a long time.

 

[Adora]

The browser is probably just looking up the icon that shows in the tab (called a "favicon"). As @bogdanw recommends, turning those off should stop that. Some browsers do not refresh favicons very often. I forget the details, but I've struggled in the past to get Chrome to refresh the displayed favicon of the site I was developing.

The password program might be doing the same. In 1Password there is an option to not show website icons. I always select that.

Yes 1Password is doing the same. I just blocked the connection there too like in the new Passwords App. In Firefox icons in the bookmarks bar only appear if I visit the website.

Simple solution: right-click on the Favorites bar, choose “Show Text Only”.

Thanks, that should do it. Already thought about such an option but forgot to search for it. 💖


@chown33

Private relay is enabled but only prevents website not to see my IP if I understand it correctly. My provider would see all the sites in favorites even if I don't visit them.

It was just a hypothetical question, there is nothing criminal in my favorites, but I like privacy and always thought this is strange many years ago. Also I am not using my providers DNS and a VPN service, so they can't see it anyway.

You have "Preload Top Hit in the background" set in your Safari preferences.

I always disable everything in the search settings. So it has nothing to do with it.

The irony I see is it's supposed to be grabbing the favicon/iOS bookmark icon for those sites but the majority in mine have only ever shown a generic icon with the first letter of the site on a random color

Thought this might explain Safari's rampant abuse of my 16GB of RAM but "preload top hit" has been disabled for a long time.

Yes that's really ironic. Often there isn't a real icon, but it is connecting to that website anyway.

 

[Adora]

Simple solution: right-click on the Favorites bar, choose “Show Text Only”.

I tested this now and it is still trying to connect to every website when I unhide the Favorites Bar, so it's not just the icons. All favorites get preloaded somehow and there seems to be no way to turn it off.

 

[svenmany]

I guess it doesn't help, but I can't reproduce it. I also run Little Snitch and see nothing as I hide and show the favorites or open windows in different profiles.

I did some experimentation dragging an existing bookmark to the favorites bar. If the existing bookmark already showed the icon, then it didn't trigger a web request when it was dragged to the favorites bar. If it didn't already show an icon, then it did trigger the request to fetch the icon.

I did the testing with all extensions disabled - not uninstalled. Do you have any extensions running?

 

[koelsh]

I tested this now and it is still trying to connect to every website when I unhide the Favorites Bar, so it's not just the icons. All favorites get preloaded somehow and there seems to be no way to turn it off.

I guess it doesn't help, but I can't reproduce it. I also run Little Snitch and see nothing as I hide and show the favorites or open windows in different profiles.

I did some experimentation dragging an existing bookmark to the favorites bar. If the existing bookmark already showed the icon, then it didn't trigger a web request when it was dragged to the favorites bar. If it didn't already show an icon, then it did trigger the request to fetch the icon.

I did the testing with all extensions disabled - not uninstalled. Do you have any extensions running?

Just for giggles what specific version of Safari are both of you running?

 

[svenmany]

Just for giggles what specific version of Safari are both of you running?

17.6

 

[Adora]

Just for giggles what specific version of Safari are both of you running?

18 and 18 Technology Preview. But I noticed this since I first installed Little Snitch, what had been in 2015. I always forgot about it because I normally allow all outgoing connections for browsers.

 

[Adora]

I guess it doesn't help, but I can't reproduce it. I also run Little Snitch and see nothing as I hide and show the favorites or open windows in different profiles.

I did some experimentation dragging an existing bookmark to the favorites bar. If the existing bookmark already showed the icon, then it didn't trigger a web request when it was dragged to the favorites bar. If it didn't already show an icon, then it did trigger the request to fetch the icon.

I did the testing with all extensions disabled - not uninstalled. Do you have any extensions running?

It might only happen after deleting all website data, what I do regularly and not every time you just open a Safari Window.

It's happening with and without extensions.

 

[bogdanw]

It might only happen after deleting all website data, what I do regularly and not every time you just open a Safari Window.

I see the same thing. I tested at first without deleting history & cache and Safari didn’t connect to anything when launched.
But if I delete history & cache, Safari tries to connect to the websites that appear directly in the Favorites bar, but not to the ones that are in folders.
As I have selected “Show Text Only”, this is a bug in my opinion. From the perspective of a privacy-conscious user, this can be temporary mitigated by putting all websites in folders in the Favorites bar and by launching Safari after connecting to a VPN.
There used to be a way to completely disable favicons in Safari (WebIconDatabaseEnabled set to false), but Apple removed that option some time ago. I looked for an alternative way, but even locking the folders where favicons are stores doesn’t prevent Safari from trying to connect to get them.
To report a Safari bug https://www.apple.com/feedback/safari.html

 

[svenmany]

Isn't this a privacy breach? If you don't use a VPN service and/or 3rd-party-DNS provider, your internet provider always would know what are your favorite websites.

The favicon fetches are encrypted, unless you've bookmarked unsecured websites. So, there won't be any direct evidence that the fetches are from your favorites. Even if they weren't encrypted, the favicon fetches don't necessarily come from your favorites.

Switching DNS providers is not going to help you keep information from your ISP. The original TLS negotiation reveals the hostname you're requesting data from. See https://en.wikipedia.org/wiki/Server_Name_Indication if you're technically inclined. And, you're not hiding the IP address from them, so there is some loss of privacy in that.

VPN from a company you trust is probably the way to go if these concerns are very important to you.