where some script is inserted into HTML code of a legitimate website, where the script directs users or information to another site.
exploits the trust the user has in the remote server to send code that runs on the user’s computer, which is the opposite for Cross-Site Request Forgery XSRF