Julia EvansMar 4

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show threadSean Coates
@b0rk I read through the replies here and I think maybe one key idea was missed: early browsers did this because it’s the simplest thing to do. Then people built interactions based on this (such as the FB Like button). Then browsers couldn’t remove it without breaking things so they didn’t. Then ad tech weaponized it.
Mar 4 at 10:52pmWeb
Show threadJulia EvansMar 4
@sean yeah what i’m trying to work out is what specifically the “things” are in “Then browsers couldn’t remove it without breaking things”