Man I only read through the source code to point out the issues with Permissions requests. I hadn't even seen the background of spamming your entire contacts list to a remote server.
That's because it doesn't. It's an optional feature, the feature shows the favicon for the domain names on your contact list. In order to do that, the app retrieves the favicon from each domain in your contact list. It does this in the App not in an external server.
So, reading the code, say you have in your contact list:
b@acme.com a@acme.com c@google.com
The code makes a single request to acme.com (to get the favicon) and one to support.google.com to get that favicon (there's a special case for google to avoid getting the new doodle of the day). That's it.
No one gets the contact list, the most anyone gets is that your ip requested a favicon.
Saying that this is sharing the contact list is akin to saying that a browser sends your ip to websites you visit.
