When sending a CSRF using the form method, POST cookies are automatically included in the request by the browser. But what happens if xmlhttprequest are used?
xhttp.open('POST',url,true)
xhttp.send()
Will the above code work like the following?
form method="POST" action="http..." etc
Some websites use the withcredentials=true but others don't, so I am a little confused.
