This answer describes a situation where CSRF can be used to trick an end user to enter a credit card into another person's Paypal account. It also highlights the fact that state-changing GET requests are just as bad a POST requests.
This is pretty simple to understand when dealing with a single forms based authentication. But if we introduce an authentication system based on GETs and POSTs to different domains that we don't "own", I'm not sure how to prevent CSRF in that situation.
If I were to extend this to OpenID, does this mean that a user could inject their OpenID credentials into my session?
What is the right way to address this problem?