Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadEvan ProdromouMar 4
@b0rk A pretty common one is interaction buttons -- Facebook like or share buttons, for example.
Show threadJulia Evans
@evan this is making me realize i don't know how those buttons work, I should look into them
Mar 4 at 8:02pmWeb
Show threadEvan ProdromouMar 4
@b0rk yeah, it's been a while since I messed with them. We made one for StatusNet a long time ago, and I think it was an <iframe> or something similar. This was back when browsers were pretty blasé about passing cookies around; a lot has tightened up since!