Why can't token be sent in bogus requests under unknown circumstances? isn't it all provided by browsers when sending requests?

A forged request in csrf can put cookie, in the request header without getting the cookie. Why can"t token be sent in a bogus request under unknown circumstances? isn"t it provided by the browser when sending the request?

Apr.07,2021

Let's put it this way, Cookies is automatically added by the browser. This is how CSRF attacks work.

but token cannot be added by browsers and cannot be obtained across sites. This is the premise of CSRF. CS in CSRF is Cross Site, cross-site. The reason for the existence of
token is that when getting token, the token is placed in the data that is not available across sites, while when verifying token, the token must appear in the specified location.

so when verifying, token definitely does not exist in cookies, and will not be automatically carried by browsers

. The request for

CSRF is made in another domain, so the cookie of the correct domain cannot be accessed.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e4bdbd-66809.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e4bdbd-66809.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?