Looking at this previous question, the answer suggests that using a GET request to retrieve a CSRF token in order to make a POST is a legitimate method of preventing CSRF attacks.

I have two websites, and a form is used to communicate between them -- a login form. These two sites are on separate subdomains, and the form itself on Site A is: <form method="post" action="https://siteB.com/login">..</form>

Site B requires a CSRF token to be sent in via a hidden input, so on page load, I make a JSONP call to //siteB.com/getCSRFToken, which sends back the valid token. I use javascript to insert the hidden input element into the form, the user is none-the-wiser, and the form submits properly.

Are there potential security implications to doing this? SiteB is an Express-backed Node application, so I am just using their CSRF middleware to handle generation/expiration.

Looking at this previous question, the answer suggests that using a GET request to retrieve a CSRF token in order to make a POST is a legitimate method of preventing CSRF attacks.

I have two websites, and a form is used to communicate between them -- a login form. These two sites are on separate subdomains, and the form itself on Site A is: <form method="post" action="https://siteB.com/login">..</form>

Site B requires a CSRF token to be sent in via a hidden input, so on page load, I make a JSONP call to //siteB.com/getCSRFToken, which sends back the valid token. I use javascript to insert the hidden input element into the form, the user is none-the-wiser, and the form submits properly.

Are there potential security implications to doing this? SiteB is an Express-backed Node application, so I am just using their CSRF middleware to handle generation/expiration.