Don't be misled, just because it's in the Ajaxian, doesn't mean that this is purely a problem with web applications that use Ajax. In fact, if I understand CSRF correctly, an out of the box OpenACS application that uses ad_form is possibly vulnerable. Well, except for the login form :-) Curious ? read on ....
What is CSRF ?
CSRF is an acronym for "cross site request forgery". Also known as "session riding", it describes a malicious exploit where a script takes advantage of an authenticated session to get information, like in Gmail's case, your contact list, but in other cases can be your personal or, worse, your financial information from the site that your browser is currently authenticated with.
How does it Work ?
The players involved are (A) you, the user, (B) the site with the malicious script and (C) the website where you are currently logged in or authenticated with. Examples of (C) are Gmail, your online banking website or an OpenACS web application.
The scenario would go something like this.
The user (A) logs in to (C) and stays logged in by checking "Remember me on this computer". On another window or tab, (A) goes to a website (B) with the malicious script. The script in (B) gets executed either from clicking a link or loading a page. The script from (B) will attempt to access (C) using the authenticated session and attempt to retrieve information like your contact list or other information.
So this exploit will only work if the user (A) is logged in to (C) at the moment the script in (B) is executed.
Where did Gmail go wrong ?
In the case of Gmail, they were exposing a URL that returned JSON structured data that contained the contact list information. Hence you can actually put this url in script tags with the src pointing to this url. Like so
Is my OpenACS Web Application vulnerable ?
Unless your OpenACS application is running a web service or providing some sort of API, chances are its not.