Generally, browsers stop cross-site communication by following the
"same-origin policy". This rule is pretty simple: if your site has a
different origin – protocol, domain, and port don’t all match – you
aren’t allowed to access information from or send requests to the other
site. Without this simple rule, there would be no security on the
internet. Every website could access data from every other one – you’d
need a separate web browser for every website.
Unfortunately, the same-origin policy is nowhere near airtight.
Attackers don’t even need an exploit to bypass it. They can simply
embed an IMG, SCRIPT, IFRAME, or FORM tag that references the targeted
website in an HTML page. When the victim’s browser renders this tag, it
generates a request and sends it to the targeted website – right around
the same-origin policy. This is a feature of all browsers – it’s used
by many applications to grab images from other sites and to post from
data to services.
Attackers can use this loophole to forge requests that appear to be
coming from a legitimate user. These are called cross-site request
forgeries, or CSRF, for short.
Article: http://www.theregister.co.uk/2008/08/29/hijacked_browser/
