CSRF protection for GET requests

I have a RESTful API that I interact with via a website I have made. I have POST, DELETE, PUT, etc. requests adequately protected, so attackers cannot make any changes to the database via CSRF.

However, if someone uses CSRF to make a GET request to the website, I'm worried that they may be able to view the response, which could reveal the sensitive data that is stored in the database.

Is it possible for them to view the response to a cross-site GET request, or is this definitely, completely taken care of by Javascript's Same Origin Policy?

Solution

is this definitely, completely taken care of by Javascript's Same Origin Policy?

Yes. That's the point of the Same Origin Policy.

To be vulnerable you would need to either:

Punch a hole in the SOP using something like JSONP or CORS or
Not perform user authentication so they could access the data without involving an authenticated user's browser as a middleman

Chunk downloading of the big files right to the hard drive
My custom CSS transition animation is not working on hover after I added AOS JS library
how to get the Google analytics client ID
Toggle vue-multiselect close/open on button click
Best way to filter an objects's properties for data
Passing function with arguments as a prop and invoking it internally in React
Outlook calendar don't render with FullCalendar
Is there a way to validate and allow only https url's using .isUri i.e. without using Regex in JavaScript?
How to clear react native webview cookies?
Skipping a test in Cypress conditionally
How can I get all the HTML in a document or node containing shadowRoot elements
Typescript: No index signature with a parameter of type 'string' was found on type '{ "A": string; }
Retain Twitter Bootstrap Collapse state on Page refresh/Navigation
How to get "Results per Row" (from a 'clicked entry' off a "dropdown menu") to show up correctly?
Is there is a C# function which is similar to .Map() in JavaScript?
How to trigger SVG render same as manual DOM edit in Chrome using JS?
How do I test a Node.JS Script that is not a module and runs as soon as it's called?
Set element width based on a string that is not in the element
Testing JavaScript Written for the Browser in Node JS
Where are the trailing commas coming from in these radio buttons?
How to verify a signature from the Phantom wallet?
How to get the value of a Google Chrome flag using Javascript
event.preventDefault cannot block clipboard paste in chatgpt.com prompt box
Should I use ref or findDOMNode to get react root dom node of an element?
Disable button for 5 seconds with different label and change after it
JavaScript - Get all but last item in array
React-Redux: Should all component states be kept in Redux Store
Is it possible to use Closure Compiler ADVANCED_OPTIMIZATIONS with jQuery?
Capture selected option returns not defined instead
Uncaught TypeError: matchExpr[type].exec is not a function