Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadGlyphMar 4
@b0rk consider a service like S3. If I host my images there, in *principle* I really ought to be able to point my URLs there without intermediate faff beyond "yes, you're allowed to host stuff here". Cookies could be used for billing quotas or other other sorts of tracking that are not necessarily surveillance or advertising.
Show threadJulia Evans
@glyph huh I thought S3 just does billing through your S3 account, I'm having trouble imagining why it would need cookies from the user's browser
Mar 4 at 8:07pmWeb
Show threadGlyphMar 4
@b0rk it does, but one could *imagine* a world where the user were tolled micropayments rather than the bucket owner just being charged and then figuring out auth & payments for the downloader on their end
Show threadJulia EvansMar 4

@glyph do you think there's a service that actually works this way today?

(i'm trying to come up with an explanation of why browsers work this way and it definitely has to be based on "things people very commonly do on the web already", not "things you could hypothetically do")

Show threadMad EngineeringMar 4

@b0rk @glyph A lot of forums allow public posting but won't host images, so any desires images must be hosted by third party services like photobucket or image shack.

...both of which recently purged their archives, breaking the entire thing.

Show threadJulia EvansMar 4
@madengineering @glyph do users have to be logged in to photobucket in order to view the images?
Show threadMad EngineeringMar 4
@b0rk @glyph No, the images were publicly hosted for everyone to see, that was the whole point.
Show threadGlyphMar 4
@b0rk Given how heavily it's discouraged now (SameSite=None is already entirely broken in a lot of contexts, many of which are enumerated here <https://privacysandbox.google.com/cookies/prepare/overview>) I can't imagine anything could work like this today.
Third-party cookie restrictions  |  Privacy Sandbox

Provide a great experience for your users, whether or not third-party cookies are available.

Privacy Sandbox
Show threadGlyphMar 4
@b0rk Anything that would would have to have big "this won't work on Safari, or on any Apple device, or on most enterprise deployments of Chrome" which would pretty severely limit its audience.
Show threadGlyphMar 4
@b0rk I remember *using* this functionality back in the day for stuff like federated sessions, but that boils down to the “tracking” you mentioned previously, and there are better mechanisms available now anyway (not least of which are just “CNAMEs”)
Show threadcthos 🐱Mar 4
@glyph @b0rk You actually can force the downloader to cover the costs via the S3 command line, but that's never used in the CDN use of S3.