If I didn't know that, my original post would have said that all the Apple pages would be invulnerable if they prevented CSRF. I think the expresslane page is one where data could go in the database and others could see it.

CSRF is not a prereq in general, but it is a prereq for the attacks tripzilch listed.