Preventing cross-site request forgery
There's a problem with every browser's security model that, as developers, we must be aware of.
When a user has logged in to a site, any requests made via the authenticated browser are treated as legitimate — even if the links for these requests come from an email, or are performed in another window. Once the browser has a session, all windows can access that session.
This means an attacker can manipulate a user's actions on a site they are logged in to with a specifically crafted link, or with automatic AJAX calls requiring no user interaction except to be on the page containing the malicious AJAX.
For instance, if a banking web app hasn't been properly CSRF secured, an attacker could convince the user to visit another website while logged in to their online banking. This website could then run a POST request to transfer money from the victim's account to the attacker's account without the victim's consent or knowledge.
This is known as a Cross - Site...
