An attack where a malicious site tricks your browser into firing a request at another site — say, your bank — while it quietly carries your login cookies, triggering actions you never meant to take. The SameSite cookie attribute is the main modern defense.