Browser problem, not site problem
One might argue that sites should be allowed to make/redirect requests to other domains, and I would be open to that argument. I do not, however, understand why browsers do not protect authenticated sessions. By requiring authentication, you (the website) are telling the browser that the site is protected by user authentication, so why do browsers allow other domains to make requests to the protected site? If a request for the protected site comes from any site other than the protected site itself, the browser should, at the very least, alert you to that fact and prompt for your authentication credentials again.
Personally, I never understand why you can't treat each browser window (and now tab) as its own session, separate from other windows and tabs. This is, once again, a problem in the way browsers access a website, which is something the website has literally no control over. If the browser wants to share the user's authentication status among all open windows and tabs, there's not a damn thing the website can do about that.