No. Unblow your mind. Any service which returns sensitive data in JSON via an HTTP get based on the user's cookie is vulnerable. At worst, an attacker would just be able collect the response of a GET on behalf of a visitor to the attacker's site if the user is on a really old browser.
This method only works for HTTP GETs, and can't get around requirements to present CSRF tokens with the request. This is one of several possible strategies for guarding against CSRF.
Wouldn't also using a custom HTTP header instead of cookies for passing a session identifier prevent this attack? A script tag can not set headers, right?
Correct me if I'm wrong, but does this not merely allow an attacker to cause the browser to make requests with custom headers? That is, it does not allow the attacker to gain the CSRF token, and if the CSRF token is not known to the attacker, he would still not be able to make API requests.