I wrote some code because I said I was going to write some code, but it turns out that I dislike cookies and advertisements too much to give it any decent testing. If anybody ever wants to play with it, though, here it is: http://www.dillo.org/test/csrf-20081015.patch requests not made by user: 1) Cache_redirect() calling a_Nav_push with the URL from the Location HTTP header, which calls Nav_open_url, which can stuff the requesting URL into the Web structure. 2) a_Html_add_new_image() for automatically-loaded images, calling Html_load_image(), which can stuff the requesting URL into the Web structure. Http_send_query() gets the requesting URL from the Web structure and passes it to a_Http_make_query_str(), which calls a_Cookies_get_query. If cookiesrc shows that the requesting URL is not trusted with cookies, I decided to deny it. Otherwise, the URL is sent off with the request to the cookies dpi. In the dpi, the arguments find their way to Cookies_get and then Cookies_requester_authorized(), which tries to decide whether it wants to send a particular cookie on behalf of the requester.