Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadGlyphMar 4
@b0rk consider a service like S3. If I host my images there, in *principle* I really ought to be able to point my URLs there without intermediate faff beyond "yes, you're allowed to host stuff here". Cookies could be used for billing quotas or other other sorts of tracking that are not necessarily surveillance or advertising.
Show threadJulia EvansMar 4
@glyph huh I thought S3 just does billing through your S3 account, I'm having trouble imagining why it would need cookies from the user's browser
Show threadGlyphMar 4
@b0rk it does, but one could *imagine* a world where the user were tolled micropayments rather than the bucket owner just being charged and then figuring out auth & payments for the downloader on their end
Show threadJulia EvansMar 4

@glyph do you think there's a service that actually works this way today?

(i'm trying to come up with an explanation of why browsers work this way and it definitely has to be based on "things people very commonly do on the web already", not "things you could hypothetically do")

Show threadMad Engineering

@b0rk @glyph A lot of forums allow public posting but won't host images, so any desires images must be hosted by third party services like photobucket or image shack.

...both of which recently purged their archives, breaking the entire thing.

Mar 4 at 8:37pmWeb
Show threadJulia EvansMar 4
@madengineering @glyph do users have to be logged in to photobucket in order to view the images?
Show threadMad EngineeringMar 4
@b0rk @glyph No, the images were publicly hosted for everyone to see, that was the whole point.