CSRF can be prevented by using random tokens etc.
But can the following help us solve the problem more easily?

http://wasjournal.blogspot.com/2006/12/csrf-protection-for-ajax-area-of-web.html

damn slow those blogspots.

see their
> Note 1. If your site has XSS, this technique won't help.
then read think about "Universal XSS with PDF" from last days ...
Other problems with this simple aproach are HTTP Response/Request Splitting/Smuggling.
Anyway, it raises the bar for an attacker.

I would agree with you.
But I honestly think that if XSS is there, you are already screwed.
Same is the case with HTTP Response/Request Splitting/Smuggling.

You don't even deserve to be protected if you already have these vulnerabilities :)

I'm not sure if this would interest people, but Stefan Esser thought of a way to use the cross-domain policy to protect yourself against CSRF even if you're vulnerable to XSS on part of your site: http://blog.php-security.org/archives/48-CSRF-protections-are-not-doomed-by-XSS.html

Of course its difficult to implement and secure, but its an interesting concept. Hmm, I think I might work on trying to get an implementation of that working.....

If XSS is on a post-login page and requires a random token get submitted along with the XSS vector, then I think that XSS is hard to exploit.

i.e. XSS done via CSRF

@kuza55

Cool, let me know if you got something!