Cross site request forgery is the one where the bad person sticks an image tag or some javascript or whatever on a page, and your privileges are used to do something. So my latest little experiment: out of the image urls your browser sees that have queries (the '?a=b&c=d&e=f'), how many are - just advertisement trash anyway - things you want where the request would work just as well with the query removed (e.g. forum software that likes to stick session ids on everything) - things that wouldn't still work but don't really matter (e.g. user icons) - things you need Here's a little bit of code that tries rejecting them. (If dillo had an option for such a thing someday, I imagine it would have a form more like "don't automatically load, and make it easier to know what the URL is before you load it manually")