I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?
There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of
@b0rk I don't know! Speculation: looking at the other things that are allowed to be embedded (scripts, styles, video, iframes) these are pieces of content that are black boxes for the page. Like, you can see it, js on the page can't.
So, as long as it's safe-ish, it's also handy, who wants to serve their video directly from the site when CDN exist.
Julia Evans
Sergei Smagin