Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadRenaud BerthierMar 4
@b0rk At web browsing dawn, maybe preferences on pictures, like idk, preferred size, preferred format (though that could be deduced with User Agent)? Maybe auth with session id, as pictures may be protected? I think that's how Facebook did at first: without login you could not see (or hotlink) a private picture.
Show threadMichael HansonMar 4
@rberthier @b0rk Preferred format is supposed to be handled by the Accept header, which has been around since the just-a-little-past-dark-ages. Per-user authentication was really the big one.
Show threadRenaud Berthier
@michaelrhanson @b0rk You're right about Accept!
Mar 4 at 8:42pmWeb