Which attack involves injecting content onto a third-party site that causes the victim's browser to perform actions on another site?

Cross-Site Request Forgery is about leveraging the user’s authenticated session to perform actions on another site. The attacker places malicious content on a third-party site the victim visits, and when the victim’s browser loads that content, it unknowingly sends a request to a different site where the user is logged in. Because the browser includes the user’s authentication cookies, the request appears legitimate, and the target site carries out the action without the user’s explicit consent. This differs from XSS, which injects script into a site to run in the victim’s browser within that site's context; from SQL Injection, which targets the backend database rather than the browser; and from Clickjacking, which tricks the user into clicking something by deceptive UI rather than auto-forcing cross-site actions via the user’s authenticated session.