So let's see if I have the concept correct or not.
I set up a website that automatically sends a partial request to example.com
example.com has a 60 second timeout before canceling the request, but for those 60 seconds a connection port is sitting there waiting.
I use CSRF to pop the link to my magic website in to an image code, which shows up to you as either a broken link, or text. However, you are actually being routed to my website, which is effectively transferring you to example.com with an incomplete request. Because of this incomplete request being due to a transfer, the attack looks like it's actually coming from whoever sees this image (or it may look like it's coming from my website, whatever the case). So if I have 500 people look at the "image" at one time, they are actually partially requesting example.com.
That about correct?
“Teach me how to hack!”
"What, like, with an axe?"