Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadOndřej Žára
@b0rk Generally speaking, to enable loading authenticated content from other sites.
Mar 4 at 9:20pmWeb
Show threadTomáš JanoušekMar 4
@ondras @b0rk But how do you know the user is authenticated on that other site? Can you rely on it?
Show threadOndřej ŽáraMar 5

@liskin @b0rk Do I need to?

I mean -- the typical use case here is to be able to sign in to "google.com" and have your google avatar shown at "youtube.com".

Alternatively, visit "myeshop.cz" and include a per-product discussion embed iframe from "we.provide.forums.net".

Show threadTomáš JanoušekMar 5
@ondras @b0rk Oh, right, so stuff where you're always getting some content back, it just might or might not be personalised. Got it!