Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadGlyphMar 4
@b0rk consider a service like S3. If I host my images there, in *principle* I really ought to be able to point my URLs there without intermediate faff beyond "yes, you're allowed to host stuff here". Cookies could be used for billing quotas or other other sorts of tracking that are not necessarily surveillance or advertising.
Show threadJulia EvansMar 4
@glyph huh I thought S3 just does billing through your S3 account, I'm having trouble imagining why it would need cookies from the user's browser
Show threadGlyphMar 4
@b0rk it does, but one could *imagine* a world where the user were tolled micropayments rather than the bucket owner just being charged and then figuring out auth & payments for the downloader on their end
Show threadcthos 🐱
@glyph @b0rk You actually can force the downloader to cover the costs via the S3 command line, but that's never used in the CDN use of S3.
Mar 4 at 8:40pmWeb