Hidden form auto-submit (CSRF-like)
Submit a hidden form to an external domain and compare sandbox allow-forms and CSRF boundaries.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/form-auto-submit?lang=en" title="XSS Playground - Hidden form auto-submit (CSRF-like)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Form submit can cross origins freely. Whether it becomes CSRF depends on the target's cookie SameSite policy.
- Without
allow-formsinsandbox, submit is blocked outright. Drop the keyword unless you also have a host allowlist. - Note: SOP prevents the iframe from reading the response, but often "the request reached the target" is the attack.