how an iframe can cause xsrf?

The code example, you gave is a cross site scripting vulnerability, because it allows the execution of arbitrary JavaScript, assuming "a" is untrusted:

a = "\"); evil(); document.write(\""

A malicious site can use an iframe to exploit a vulnerable site via CSRF:

In a typical CSRF attack, the browser is tricked by a malicious site to submit a request to a vulnerable site. The browser will include the cookies for that site, thus the request is authenticated from the point of view of the vulnerable site.

While there is a number of ways to trigger GET-request, cross site POST request are usually created by submitting a form. While JavaScript can be used to trigger the submission automatically, it cannot be used to hide the result page. So on a simple POST-based CSRF-attack the user will be warned after the fact.

So the trick is to put the malicious auto-submitting form into an invisible IFrame. Therefore the user will not see the webpage showing the submission result.

A related attack is click-jacking: The vulnerable site (e. g. Facebook's like-button) is loaded into a transparent iframe and JavaScript is used to scroll it to the appropriate location and keep it positioned at the mouse cursor. If the user tries to click on anything on the malicious site, it will click on the transparent iframe instead.


An iframe cannot introduce a Cross Site Request Forgery or Cross Site Scripting vulnerability. An iframe is unable to influence an application in this way due to the Origin inheritance Rules for iframes.

iframe's are used by the attacker in a UI Redress attack. Also you should read the CSRF prevention cheat sheet. Especially the part on how XSS can be used to undermine CSRF protection systems.