Favicon Redirection Possible Security Flaw

According to your question Chrome was loading a plain HTTP favicon in a HTTPS page without any browser warning. Interesting.

Redirecting to a plain HTTP website is not a vulnerability in itself. However, it is a security flaw if the redirect is accidental and you want your users to remain on a secure, trusted channel to your site.

Script content will not be executed in a favicon but the request could leak cookies if the cookie domain isn't set correctly and the secure flag is not set. An attacker could also do this with your site if the user visits any site under plain HTTP.

If there are any browser exploits that can be triggered from a favicon you could be putting your users at risk here, although the initial redirect and the browser exploit are really flaws in the browser rather than your site.