That can't happen: javascript can't read cookies from domains it
wasn't served from.
Fred
the javascript would be served from the same website...
No, it wouldn't. It would be served from the forum website.
consider a forum...u enter some javascript in comments.....when
another user opens the forum thread, the javascript u entered would be
executed...that is the way i suppose how CSRF works...correct me if
i'm wrong..
You are wrong. The javascript served from the forum thread can not read cookies from the target site and thus cannot build the needed authenticity token. And even if it could read the cookies, it would also need to know the secret key used to build the token.
If you are talking about a case where the forum site would be both the target and the source of the malicious code, then it would be a different thing. However, it wouldn't really be cross-site anymore. Also, that is something you as a site developer can and should do something about. You should never let users enter arbitrary javascript onto your site. However, you cannot prevent other site owners from been lax about security, and thus need to secure yourself against CSRF.
If the script can transfer the cookie, it can also transfer the
authentication_token.
So now the 3rd party application has both cookie and the token :).
Please re-read the CSRF page on Wikipedia. It seems that you don't really understand what CSRF is about. It's not about Javascript run on your site, it's about third-party page sending requests to your site (from javascript or even using something like image tags). That third party page does not have access to the cookies of your site.
If it doesnot provide complete solution, everyone should know about
it...so that they donot assume that it is.
Define a complete solution. Oh, right, there is no such thing.
I'm sure no one has said that authenticity_token would be a complete solution to web app security and I have a hard time thinking many people would ever assume that.
Like I (and Manfred) said before, it is hard to build shields against even specific threats on the framework level. CSRF is probably one of the few low-hanging fruits. A general solution for all threats is just a pipedream. But if you find a generic solution against specific cases you encounter that would be easy to implement, go ahead and send a patch.
//jarkko