Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadDDRMar 4
@b0rk On the old forums, hosting often didn't want to do images... too large? It was handy to be able to link them in from a dedicated hoster, like imagebin or something.
Show threadJulia EvansMar 4
@ddr do you need to send the user's imagebin cookies to do that?
Show threadDDR
@b0rk Hmm, I think there were some that would only let you see images if you were logged in, but I might be wrong.
Mar 4 at 8:08pmWeb
Show threadDDRMar 4
It's been a long, long time. And I think it was mainly a hostage-taking tactic anyway.
Show threadgroxxMar 4

@ddr I think I remember a couple things like this quite a long time ago, so I think you are remembering correctly. Relatively insular free community hosting, basically, with tight quotas for people who are not part of the community to prevent widespread hotlinking.

You could do this with an iframe nowadays too, but sizing it correctly is still basically unsolved, I think? And it would probably use more resources, though not by much.

But then again, I haven't heard of or thought about hotlinking as an issue for a long time now. I kind of wonder what changed. Maybe everyone just uses CDNs? Or sites copy files a whole lot more?

Show threadDDRMar 6

@groxx. I think disk storage became like 100x cheaper or something, so the cost of hosting them yourselves basically went away. It was always a usability/reliability mess anyway.

To some extent, it's also been a while since I've been on a forum at all, as well... 🤔

Show threadJulia EvansMar 4
@ddr that seems very possible!