This technique is exactly how the My Space (Samy) worm defeated My Space's anti-CSRF defenses in 2005, which enabled the worm to propagate.
XSS cannot defeat challenge-response defenses such as Captcha, re-authentication or one-time passwords.
Your defenses will have to adjust for that if that is allowed.
Both of these steps rely on examining an HTTP request header value.
For more information on CSRF, please see the OWASP Cross-Site Request Forgery (CSRF) page.
Cross-Site Scripting is not necessary for CSRF to work.
Only the browsers themselves can set values for these headers, making them more trustworthy because not even an XSS vulnerability can be used to modify them.
The Source Origin check recommended here relies on three of these protected headers: Origin, Referer, and Host, making it a pretty strong CSRF defense all on its own.
To identify the source origin, we recommend using one of these two standard headers that almost all requests include one or both of: If the Origin header is present, verify its value matches the target origin.
The Origin HTTP Header standard was introduced as a method of defending against CSRF and other Cross-Domain attacks.
Impacts of successful CSRF exploits vary greatly based on the privileges of each victim.
When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions.
It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can't be circumvented.