finally gerryvdm from the #symfony irc channel gave me a good answer:
[17:12] gerryvdm: the goal is to prevent users unwillingly perform
actions on your site, which really only should be possible when
submitting a form
[17:13] gerryvdm: never use GET requests for destructive operations
[17:15]
CSRF is about protecting forms of spamming, adding a field
generated at runtime that identifies the form as unique.
if the form is used otherwise than through the application, the field
for csrf will not be valid, and therefore it will be identified as
an attack.
see it on wikipedia
Hi absalito,
I'm already familiar with the topic in general, but thanks for mention
wikipedia because of: The attacker must determine the right values
for all the form's or URL's inputs. This means for my understanding
URLs are a valid possibility to request actions that change data,
therefore
