I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?
There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of
@b0rk I may have missed other explanations, but I just wanted to clarify one thing:
When Site A embeds an image from Site B, your browser includes only Site B’s cookies that you may already have when requesting that image, not any of Site A’s cookies. This is according to the Same Origin Policy.
And the SameSite flag when setting the cookie allows the site to control whether this actually happens or not.
@b0rk and then to answer the original question:
There are some sites that retrieve user-specific (or authenticated) images from other sites. It therefore requires that site B be able to verify the identity of the user, however that is bootstrapped. Ie log on to Site A, site A passes the identity to site B (oauth, etc), site B sets its own cookies based on that identity, then site A can refer to site B’s images.
Julia Evans
Rogan Dawes