This page describes a use case to explain CSRF attacks (16.1):
https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
But if the user is indeed logged in the bank's website, then isn't it possible for the evil website to make a GET request to get a fresh CSRF token, and craft a POST without needing the user at all?
The answer must be no, otherwise CSRF token would be useless, but I don't understand why?
The answer is "no" and the reason is Same-Origin Policy.
SOP means that a page from evil.com
cannot read any response to requests that it may send to example.com
. Most direct means to send a request will be blocked by the browser (SOP), but there are many workarounds. For example, evil.com
could send
<img>
, <script>
, <css>
and setting src="http://example.com/path"
(or <a href="http://example.com/path">
).Since evil.com
cannot read any of the responses, it cannot read the CSRF token.