Mastodawn

I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?

There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of

Show thread

ShadSterling Mar 4

@b0rk that kind of thing is needed for centralized SSO to third-party hosted services. Where you log in via auth.myorg, to use a service at some.provider/myorg which makes use of myorg.other.provider. Each provider’s page/HTTP resource has to check with auth.myorg to validate your login, for which auth.myorg has to get your login cookies. The scripts loaded from some.provider/myorg send a request to auth.myorg to get a token to send to myorg.other.provider

Show thread

ShadSterling

@b0rk … I would much rather impose the requirement that cookies only be shared within subdomains of the same domain, so it would only work if some.provider/myorg lived at some.provider.myorg, and myorg.other.provider at other.provider.myorg. That would make a whole bunch of things a whole lot easier. (It should also apply to the thing I can’t remember the name of, where subdomains are rented, so providers I use for mysite.geocities would have to be at *.mysite.geocities not *.geocities)