How to protect widgets from forged requests

Question

Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don\'t want this request

Answer 1

Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.

Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.