Yes that is a bug.
Thanks for digging into the code. Would you like to provide a PR => be attributed with this fix?
I am wondering: How did you come across this?

I have a PR almost ready, I'm just currently confirming on my patched local that it's possible to use the URL variant at all.

Assuming I can work out some CORS issues, then I'm expecting I can provide a simple one-liner.

As to how I came across it: I am automating a from-scratch status page setup, so the UI-driven upload flow is a no-go for me. I also don't really like the base64 upload because then I have to pull the current image and check if the contents match since I want to report whether I am changing the icon. I'd rather use either a cross-origin URL or a path relative to the data volume (I'm using the docker deployment variant).

I don't care about the attribution though; this is not my personal account

Confirmed that things work fine if I do this simple fix: #4750