Yep. I'm sending a patch for the CSRF token masking change shortly. I'm less sure about the length hiding change; it feels like an ugly hack, but we put it in because it's the least awful solution that the paper presents. I'm curious to find out exactly how effective the length hiding is one the PoC code is released.