Why bother requiring CSRF token on POST requests?

Question

My understanding is that CSRF prevents an attacker using an tag to get the victim\'s browser to send a request that would be authenticated using the

Answer 1

The attacker can host a form on their own site, but it does not require the form to be submitted by the user. They can use JavaScript to do this:

IFrame injection is more of a XSS vulnerability. A XSS vulnerability is more serious than a CSRF one because more damage can be done and it will always override any CSRF protection you have. Make sure you are always correctly encoding output for the context that the output is in (e.g. encode for HTML or for JavaScript as appropriate).

Check out the Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - their best recommendation is to use the Synchronizer Token Pattern which seems similar to the link in your answer but can work in combination with cookies.

Also, here's a link to the XSS (Cross Site Scripting) Prevention Cheat Sheet.