[mixedbit]

But with tokens in URLs you can do CSRF.

[jfroma]

No, you need the signed token for the link, that will only works for that particular url (protocol, host, path, query), for a breve period of time and only for GETs. As mentioned in the blog post, you can check hawk bewits:

https://github.com/hueniverse/hawk