Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks?

Question

Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won\'t succeed.

But

Answer 1

But what if malicious script will make first some simple GET request (by AJAX) in order to download the page containing antiforgery token in hidden input field, extracts it, and use it to make valid POST?

Yes, this is true, but, if it's not ending up in a browser this is NOT a CSRF attack.

If it does end it up the browser (for example scraping via an HTTP Request in server side code) then what would happen the scrape code will get a CSRF token. However your legitimate, authenticated users will get a different token put on their machine. Because the token that the scraper lifts is different to the one issued to your users then the POST will fail.

If you want to stop non-browser scripts making posts then you need to take another approach to validate it's a human.