>reading CSRF tokens from page contents because it was a subdomain.

Huh? I don't think you can read page contents unless the origin matches exactly (scheme://host:port).