Are we really secured from CSRF?

Question

confirm.php

<?php
 session_start();
 $token= md5(uniqid());
 $_SESSION['delete_customer_token']= $token;
 session_write_close();
?>
<form method="post" action="confirm_save.php">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
Do you really want to delete?
<input type="submit" value=" Yes " />
<input type="button" value=" No " onclick="history.go(-1);" />

confirm_save.php

<?php
 session_start();
 $token= $_SESSION['delete_customer_token'];
 unset($_SESSION['delete_customer_token']);
 session_write_close();
 if ($_POST['token']==$token) {
   // delete the record
 } else {
   // log potential CSRF attack.
 }
?>

Lets say we have a typical CSRF protection like this one What if an attacket uses this code to bypass the csrf token?

//On any site
<img src="http://cia.teletubbies.com/csrf.php" height="0" weight="0"/>

//csrf.php
$cont = get_file_contents("http://cia.google.com/confirm.php");
// parse the html using [PHP Simple HTML DOM Parser][2] and get the CSRF token
//CURL and send a POST request to confirm_save.php with the token

This thing keeps bugging me, but im too lazy to try an attack on any random site. Isnt this is possible?

The example code was stolen from preventing csrf in php

Updated

What happens when someone wants to pass a token from one platform to another or from server side to the client side? Flash to PHP for instance, how could its secure from csrf?

Answer 1

You'd be getting the CSRF token for the session of the server you are using to scrape the page. Since that session is not the victim's, it's secure. (If you're stealing the user's session, it's no longer a CSRF attack!)

So, yes, unless it's implemented horribly, you can't just scrape a CSRF token and use it in a CSRF attack.

Answer 2

The CSRF protection works since only the authenticated user can access the token.

Your csrf.php page is on another domain, and can thus not see session cookies for the legitimate site, nor get to the CSRF token.