Request forgery techniques like on-site request forgery (OSRF) and cross-site request forgery (CSRF) allow attackers to trick a user's browser into making requests without the user's consent. OSRF uses stored XSS to inject links that trigger requests when clicked, while CSRF embeds requests directly on malicious sites. Defenses include anti-CSRF tokens and preventing sensitive actions via GET. The same-origin policy does not fully prevent cross-domain data theft using techniques like JavaScript hijacking, Flash, and relaxed HTML5 CORS policies.