How to protect widgets from forged requests

Question

Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don\'t want this request

Answer 1

--UPDATE-- When you say "widget", if you mean something outside of your application that un-authenticated people interact with then disregard this answer. I reread your question and you never really state what you mean by "widget". We have all kinds of "widgets" that are with in our application. I thought that's what you were talking about, everything inside an application that only authenticated users were interacting with. If that is the case then this answer is what OWASP recommends.

--Original Answer-- "You don't want this request to be vulnerable to CSRF so you write an iframe to the page." No, don't make an iframe, that way you can do the normal OWASP recommendation for protecting against Cross Site framing.

To protect against CSRF hash some value(s), include it in your form (or ajax POST data), then check the hash value on the back end. If it matches it's from your site. The more specific data you can put in the hash the better.

Example: When a user signs in you can create a long random string and tie that to their session. This string must never be visible on your site or when viewing the source. Then lets say the user pulls up some specific record that they want to edit. You could then take that users long random string you created, append that records primary key to it, then hash them. The result of that hash you can include in your form as a hidden. Then on your backend before you do anything you check for the presence of that hidden, if it doesn't exist, abort. If it does exist, take that users random session string and the clear text primary key they submitted, hash them, if it matches you know it's from your site.

And it's easy to add this everywhere even if your site is already written (assuming your site has some single piece of code included on all pages, like a footer). Make the hashed value and place it in a hidden div somewhere in your footer. Then you can use jQuery to dynamically add this hash value hidden to all forms on the page. And you can use jQuery.ajaxPrefilter to add it to all ajax POSTs automatically in case you are doing a ajax post and not a normal form post. We've protects some very large sites that were already coded this way.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

If this sounds like that path you want to take I could show some of the jQuery code for doing it. As far as what your are hashing, how you want to check it on the backend, etc... that all depends on if you are using ColdFusion, PHP, PL/SQL (psp) etc... I can point you in the right direction if its one of those.