I've just read this article about Flask and using Svelte frontend with a separate API specifically the section calledFrontend Served Separately (cross-domain)

They are creating a CSRF cookie and header X-CSRFToken and I'm just built something similar using FastAPI.

Is this actually any more secure because couldn't a bad actor:

• Get a user to click on something
• New page calls the CSRF page and sets cookie/header cross domain
• On post the cookie/header are set

I know I must be missing something but I am confused. The code in question is:

@app.route("/api/getcsrf", methods=["GET"])
def get_csrf():
    token = generate_csrf()
    response = jsonify({"detail": "CSRF cookie set"})
    response.headers.set("X-CSRFToken", token)
    return response