img-tag GET request CSRF
Check whether an external state-changing GET endpoint can be requested with cookies through img.src.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | works |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/csrf-image?lang=en" title="XSS Playground - img-tag GET request CSRF" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- The oldest CSRF shape:
<img src="https://target/action?a=b">is enough to fire a GET request with the user's cookies. - Even
sandbox=""does not block img requests. Real defense is CSPimg-srcor host validation on img src during HTML rendering. - If the target relies on SameSite=Lax cookies, cross-site GETs do not carry them, so CSRF impact is minimal. IP exposure, tracking pixels, and pings to internal-only endpoints are still possible.
- Note: most editors and CMSes allow img tags freely, so this surface needs a host allowlist or CSP to close.