How is using Synchronizer Token Pattern to prevent CSRF safe?

Question

I have been reading about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.), and I don\'t understand how it actually safe.

Le

Answer 1

And that is exactly the point. The Same Origin Policy in the browser does not allow GET requests to other sites. So no site can GET the CSRF token from another just using Javascipt within the browser.