How is this Login CSRF Attack prevented?

[francoposa]

Have been trying to understand CSRF Attacks and the various mitigations, but this is something that's not clear to me how it is prevented:

Attacker gets you to click or activate some javascript that does the following, basically faking the actions of an SPA AJAX login flow:

1. GET to initialize Kratos browser login flow with accept: application json
2. Receive CSRF token from response body
3. POST to Kratos browser login with attacker's credentials and the CSRF token in the body and withCredentials: true - CSRF cookie also gets sent here by the browser right?

Now Kratos receives valid credentials, CSRF Cookie, and CSRF token in body, logs you in to the attacker's account and redirects you - you are now unknowingly in the application, but not your account.

It seems that I am missing something about what the attacker's javascript snippet would be allowed to do? Will the CSRF cookie not get sent by the browser in step 3 because the javascript snippet is not coming from the same domain?

[aeneasr]

That would be an XSS attack, not a cross site request forgery attack. A XSS attack has a much higher potential for malicious actions than a CSRF attack.

https://owasp.org/www-community/attacks/csrf