This is a simple demonstration of misusing the Content Security Policy for cross-origin login-state detection.
Many platforms are vulnerable to the Favicon Hack. Which has been a well known won't fix for years.
A similar well known won't fix is the CSP Hack, which is an even bigger issue since it can be used to detect redirects even more precise.
Javascript doesn't need to be enabled.