CSRF is more dangerous in that your browser does not have to "see active content such as JavaScript, so an image laced with a simple malicious src is enough.Temporary XSS is much more worthless, although dangerous" in the sense that cookies could be stolen - however, stealing cookies in this manner is...inelegant, so to speak.Although you could also post forms using such XSS, making it equivalent