You can initiate an XSS attack without making any cross site requests. Being able to launch a CSRF attack, is not a prerequisite for being able to launch an XSS attack. It does help though.

If I didn't know that, my original post would have said that all the Apple pages would be invulnerable if they prevented CSRF. I think the expresslane page is one where data could go in the database and others could see it.

CSRF is not a prereq in general, but it is a prereq for the attacks tripzilch listed.

A simple example: you can pass a link to someone and have some javascript that submits form for them without them knowing.