In the measures to prevent csrf attacks, why is it not recommended to add token,? to url?

the information found on the Internet generally thinks that adding token to url may lead to leakage, but I still can"t understand this.

Apr.09,2021

A little bit of personal understanding:
if your website is all your own internal addresses, it should be fine with token. But if in some places such as forums, there may be all kinds of links on a website, then there is a problem.
A forum website W: https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://a.com" rel=" nofollow noreferrer "> http://a.com. If the address of a link in the forum is article.html?id= & token= , there is a dangerous link article.html?id=222&token=111,. The page is edited by the user. It has a seductive address https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://d.com/danger.html," rel=" nofollow noreferrer "> http://d.com/danger.html, has a way to get Referer in danger.html, and there is a token, and a picture http://a.com/modifyPwd?token=*">

.
  1. user U logged in to forum W, authorization succeeded
  2. user clicks the link article.html?id=222&token=111,
  3. users clicked on the seductive URL https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://d.com/danger.html" rel=" nofollow noreferrer "> http://d.com/danger.html
  4. https://img.codeshelper.com/upload/img/2021/04/09/u4ltea0d3ir15850 "http://a.com/modifyPwd?token=" rel=" nofollow noreferrer "> http://a.com/modifyPwd?token=* is issued through img within
  5. danger.html
  6. Cross-domain attack succeeded
MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e96c19-473d8.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e96c19-473d8.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?