How to protect widgets from forged requests

Question

Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don\'t want this request

Answer 1

I think I understand what you're doing. You want to allow any site to iframe your widget, thus an attacker has complete control of the parent's source code and can create clickjacking routines to force users to click the widget.

So the iframe would be able to employ a CSRF token, as it should, which will protect from this type of attack so long as the parent frame is unable to read the token.

Clickjacking, as I am sure you know, is a completely different type of attack than CSRF and needs a different defense.

Really, if the widget is super important than implement 2-phase authentication. Use http://twilio.com to call the user and have him input a pin. Or send an email to the user with a verification link. Or ask the user to verify the action next time the user logs into your widget's website.

If you had control of the parent frame, then you would have more options. It would then be a XSS protection matter.

Update after the correct answer has been selected

So my approach to protecting against clickjacking is a bit overboard. Looks like it can be protected using a popup window with a confirmation action.