As you can see, CSRF has the ability to execute actions in an application from other domains. You do not need to inject code into the application to perform these actions—you just need to execute them from another place to the target application, and that is all.

To avoid the execution of these actions from other places, developers created the same-origin policy. It is a protection that states that all the actions need to be from the same domain. For example, it limits the application, because you cannot expose an API, but it works for consuming services internally.

There are some techniques to exploit a CSRF, despite whether the application is protected by a same-origin policy.