Wouldn't also using a custom HTTP header instead of cookies for passing a session identifier prevent this attack? A script tag can not set headers, right?
Correct me if I'm wrong, but does this not merely allow an attacker to cause the browser to make requests with custom headers? That is, it does not allow the attacker to gain the CSRF token, and if the CSRF token is not known to the attacker, he would still not be able to make API requests.
http://lists.webappsec.org/pipermail/websecurity_lists.webap...
Rails and Django patches/recommendations on the issue: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypas... https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-e...