IE cookie menagment and CSRF

Hi All,

Recently while toying with CSRF XSS I found out that when I place sth. like
<img src=âdomainB/logout.phpâ> on domainA 
IE(6.0.2800.1106.xpsp2.030422-1633) sends cookies from siteB. and 
Mozilla 1.7.2 don't.
Thins means that some web page on domainA can force any GET request as 
previously authorized user on domainB.

(imaginary scenario)
1)user logs on e-bay
2)wants to buy a book from attacker
3)attacker makes a webpage âSee what I sell on ebayâ with <img 
src=âhttp://ebay.com/bid.cgi?item=34345&price=99999â;> and links it to 
the auction
4)when user views his page he not wilingly bids 999999$ on an item

I think that Mozilla does right not sending cookies because domains of 
the cookies should apply to originating html document if it's an image 
not a link. Am i right ?

What do You thing about it ? Is it a bug or it's ok and we should use 
only POST methods for important forms?

--
Lazy