CSRF is an attack where an attacker can forge a request that appears valid from the server's point of view, and convince the browser to execute that request.
Typically, it arises if an application stores its authentication credentials in a cookie, and the server checks only that cookie. Because cookies are always send along w/ requests, a malicious website can construct and submit a POST request to execute an action, and the browser will attach the cookie to that request, thereby erroneously authorizing it.
A simple separation between GET/POST is not necessarily enough. Third-party websites can make POST requests by creating <form> tag in a hidden <iframe> and submitting that form w/ JavaScript upon being loaded in a user's browser. (You can't submit arbitrary POSTs like this; the browser is limited in what mimetypes it can construct, for example. For example, it isn't possible to construct a Content-Type: application/json request in this manner, so not all POST endpoints are vulnerable if they discriminate on Content-Type.)
Also, some CORS requests do not get preflighted even if they're POSTs, so a CORS-unaware server can end up executing those even if the browser won't give the result back to the requesting JS (the result doesn't matter; the action does).
Typically, it arises if an application stores its authentication credentials in a cookie, and the server checks only that cookie. Because cookies are always send along w/ requests, a malicious website can construct and submit a POST request to execute an action, and the browser will attach the cookie to that request, thereby erroneously authorizing it.
A simple separation between GET/POST is not necessarily enough. Third-party websites can make POST requests by creating <form> tag in a hidden <iframe> and submitting that form w/ JavaScript upon being loaded in a user's browser. (You can't submit arbitrary POSTs like this; the browser is limited in what mimetypes it can construct, for example. For example, it isn't possible to construct a Content-Type: application/json request in this manner, so not all POST endpoints are vulnerable if they discriminate on Content-Type.)
Also, some CORS requests do not get preflighted even if they're POSTs, so a CORS-unaware server can end up executing those even if the browser won't give the result back to the requesting JS (the result doesn't matter; the action does).
https://en.wikipedia.org/wiki/Cross-site_request_forgery ; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(...