CSRF token timeout

Question

This page describes a use case to explain CSRF attacks (16.1):

https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

But if the user is indeed logged in the bank's website, then isn't it possible for the evil website to make a GET request to get a fresh CSRF token, and craft a POST without needing the user at all?

The answer must be no, otherwise CSRF token would be useless, but I don't understand why?

Answer 1

The answer is "no" and the reason is Same-Origin Policy.

SOP means that a page from evil.com cannot read any response to requests that it may send to example.com. Most direct means to send a request will be blocked by the browser (SOP), but there are many workarounds. For example, evil.com could send

• GET requests by imbedding an <img>, <script>, <css> and setting src="http://example.com/path" (or <a href="http://example.com/path">).
• POST requests by submitting a form.

Since evil.com cannot read any of the responses, it cannot read the CSRF token.