But this example is obviously not malicious. There are two types of information that are traded that can be a problem for the Internet user. The first is privacy related. Information can be exchanged about the user’s visit, so that the other domain receives information about that visit. This is usually used for advertising purposes to track a user on the Internet.

The second is more dangerous, when malicious or undesired actions are triggered by the cross-domain request, called Cross-Site Request Forgery.

CSRF is considered very dangerous, as indicated by its ranking in the OWASP top 10 and the CWE/SANS top 25. The problem with a CSRF attack is that it makes requests on behalf of the user, without his/her knowledge. For instance, if a site (e.g. example.com) makes hidden requests to another site (e.g. myonlinebank.com), it can potentially cause harmful effects (transfer funds, create accounts, …).

The Firefox add-on CsFire protects the Internet user against malicious cross-domain requests. The add-on basically nullifies them by removing authentication information like cookies and authentication headers to eliminate the possibility that these requests can be harmful to the user.

CsFire provides a secure-by-default policy, which can be extended with fine-grained remote policies as well as fine-grained local policies. The remote policies are obtained from a policy server, to selectively allow certain harmless cross-domain requests (e.g. sharing items on facebook). The local policies allow you to specify certain cross-domain requests that should be treated differently, should you wish to do so (this is not required in normal surfing scenarios).

CsFire is based on an academic research paper CsFire: Transparent client-side mitigation of malicious cross-domain requests that was published on Engineering Secure Software and Systems 2010.

The CsFire add-on is available for all Firefox versions from Firefox 3.5 to 4.0b7. It is possible to force compatible to make it compatible with the latest nightly builds as well.

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user’s web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)

Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted at the Register.

Sometime in the last three days, Google’s login pages began setting a cookie with a unique token on each user’s browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.

Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.