There's a problem with every browser's security model that, as developers, we must be aware of.
When a user has logged in to a site, any requests made via the authenticated browser are treated as legitimate — even if the links for these requests come from an email, or are performed in another window. Once the browser has a session, all windows can access that session.
This means an attacker can manipulate a user's actions on a site they are logged in to with a specifically crafted link, or with automatic AJAX calls requiring no user interaction except to be on the page containing the malicious AJAX.
For instance, if a banking web app hasn't been properly CSRF secured, an attacker could convince the user to visit ...