Mastodawn

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show thread

ShadSterling Mar 4

@b0rk that kind of thing is needed for centralized SSO to third-party hosted services. Where you log in via auth.myorg, to use a service at some.provider/myorg which makes use of myorg.other.provider. Each provider’s page/HTTP resource has to check with auth.myorg to validate your login, for which auth.myorg has to get your login cookies. The scripts loaded from some.provider/myorg send a request to auth.myorg to get a token to send to myorg.other.provider

Show thread

ShadSterling

@b0rk (this is why all the login forms have email and password on separate pages now; they need your email address to look up which auth service to use so they can have the appropriate service ask for your password)