Mastodawn

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show thread

Christine Lemmer-Webber

@b0rk There was a debate within the W3C Technical Architecture Group that I was pointed to at one point by Jonathan Rees, former member of the TAG, there was a debate between whether to go a capability security approach for the web or a perimeter security approach. The TAG, per my understanding, was leaning towards ocaps but some of the big web players said "well we are already doing the perimeter security approach" and so, alas, that won by default, and we got CSRF :\