* These are submitted with a form (over POST, hopefully) *<p>I don't think that the author implies that using POST prevents CSRFs but the article seems to imply it. In case anyone thinks it is the case: using POST won't prevent a CSRF.<p>Cross Site Request Forgeries occur when a user opens an "evil" page on site B, while being logged on site A. If site A solely relies on cookies in order to identify logged users, there is a risk of CSRF. The attack exploits the fact that the user's browser will always send the auth cookies when issuing a request to siteA.
If the evil page on siteB embeds an image (or script, or any resource that can be loaded using an URL) whose source is an URL on siteA, the browser will request the resource on siteA with the auth cookie coming along.<p>In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.