Mastodawn

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show thread

TheMagicalC

@b0rk the third party site could be hosting files available by authenticated access only, and allowing the first site to issue auth tokens. I’m not sure I can think of a specific use case where I’d want to do this. Maybe corporate trainings getting licensed from providers and then served from the licensee’s site?