CSRF and Header Forging - your thoughts needed

[michael.coates at owasp.org (Michael Coates)]

All,

I'm looking for thoughts on CSRF attacks that result in forged headers 
from the victim user to the target site. Are there modern attacks that 
work here? If not, could we implement a CSRF protection that uses a 
custom header and avoid the cost of computing random numbers?  This 
sounds very strange at first since we are accustomed to the standard 
random CSRF token approach.  However, please take a look and contribute 
to the comment thread:

http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html

(Several comments on the article already, I encourage you to post your 
comments there for everyone to read)

Thanks!

-- 
Michael Coates
http://michael-coates.blogspot.com
OWASP Member&  Contributor