When creating a website, we tend to code the client-side and the server-side together. We build the pages and forms a user will interact with on the client-side, then build the server-side URLs that respond when the user performs an action.
However, requests can be triggered to the server-side code from anywhere - not just the client-side code we write. This is one of the most powerful aspects of how internet is designed: it allows linking between sites. But it also the cause of a common security flaw, cross-site request forgery (CSRF).
A CSRF attack occurs when a user is tricked into interacting with a page or script on a third-party site that generates a malicious request to your site. All your server will see is an HTTP request from an authenticated user. However, an attacker takes control over the form of the data sent in the request to cause mischief.
Imagine you run the micro-blogging service that allows your users to tweep their opinions at each other in 140-character-sized chunks.