CSRF (Cross-Site Request Forgery) is an attack that impersonates a trusted user and sends a website unwanted commands. This can be done, for example, by including malicious parameters in a URL behind a link that purports to go somewhere else:
For users who have some permissions on
<img> element will execute action on
https://www.example.com without their noticed, even if the element is not at
There are many ways to prevent CSRF, such as implement RESTful API, add secure token, etc.