[Ur] CSRF protection

[Chris Double]

If I understand corrctly, Ur/Web has built in CSRF protection for
forms. Does this extend to post requests done via 'rpc' calls in
'onclick' handlers on buttons? For example:

<button onclick={fn _ => rpc (delete_something ))/>

Can the POST request that occurs in the onclick be recorded and
replayed, or run via an evil site in a iframe (or any other CSRF
vector)?

A quick test gave me a cookie error so I'm thinking it's safe but I'd
like to confirm.
--
http://www.bluishcoder.co.nz