Django's CSRF Middleware only protects from "unsafe" HTTP requests, like POST. A GET request is left unchecked because in HTTP-parlance, a GET shouldn't have any side-effect.
Here, we've embedded an image link to the URL we want our visitor to GET (ssda.veryveryvulnerable.com/nuke/). No image loads, but your browser happily makes that GET request.