I don't understand why protect_from_forgery is secure. It may provide an authenticity token on every non-GET form. But as I see, it is only static data. I tried to go several pages in my own site to ensure that. If that's the case. Why doesn't the malicious link already include this as coder can obtain it by visiting the site directly? Or the actual authenticity token is randomized over time, just that I haven't tried it for long enough?
Note: I have only tried this in the test environment only.