Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF?
Two reasons - Privacy and CSRF.
Privacy
It allows the sender to figure out whether I have opened the email or not, without my knowledge. Spammers can figure out whether their "marketing" campaigns have had any impact or not.
CSRF
For CSRF to work, the victim has to click a link or visit the attackers page. If email clients were to display images automatically, just opening an email would be sufficient to launch a CSRF attack.
For example, lets assume paypal had a csrf vulnerability. Also assume that the user was logged on to paypal. Now, an attacker sends the user an email with <img src="http://paypal.com/transferfunds?fromAccount=victim&toAccount=attacker"/>. As soon as the user opens the email, funds would get transferred.