Cross-site request forgery (“XSRF”) is a type of web exploit where an attacker attempts to perform actions on behalf of an authenticated user without the knowledge of the authenticated user. The attack generally involves creating malicious web content. When a victim browses the malicious web content, the victim's browser is caused to issue an attacker-controlled request to a third-party web service. If the victim is authenticated to the third-party service, the request will be sent with the browser's cookies or other authentication. Having the victim's authentication in place, the malicious code can execute undesirable actions on behalf of the victim at the third-party service. These undesirable actions may be carried out without the victim's consent. As examples, where the third-party web service is a blog system or an email system, the undesirable actions could include deleting or modifying a blog, or adding an email-forwarding rule.
In a web-based system where one service redirects to another service (for example to complete a login process or payment transaction), the functionality for returning from the redirection service and jumping back into the original service creates a window for XSRF attacks. These attacks may involve calling into the return page as though a legitimate use is simply returning from a redirection. There is a need in the art for effectively protecting against cross-site request forgeries, particularly in the context of browser redirections.