After reading many documents regarding CSRF, I'm still a little bit confused. So I hope someone can please explain it to me:
Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a "bad" site, can this site somehow get and parse my profile page? (I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see the whole content in "response" of the "Net" tab, haven't figured out how to get this content and parse it yet though. But perhaps it's possible?)
Now assume that I have on my profile page a form, which of course has csrf token. Now if an attacker could get my profule page, he could just parse that content, get the token then submit a fake form?
Now assume that 1 and 2 are correct, what should I do to prevent such cases from happening?