Instead of allowing a client to login to the server with a session, perhaps it would be better if the API was stateless. This would prevent the need to have CSRF tokens. The client would instead send an Authorization header with each request. Additionally, this would allow a client on a different origin to make authenticated, cross-origin requests (by allowing such requests with the Access-Control-Allow-Credentials header).
Topic on Talk:Core Platform Team/Initiative/Core REST API in MediaWiki/Epics, User Stories, and Requirements
I think our intention for the Core REST API is to use only OAuth 1.0 and 2.0 for authorization. I am really leery of session cookies for APIs, and I'd like to avoid them.
It makes in-browser apps like user gadgets more complex (we have to figure out how to pass OAuth tokens to the browser client), but reduces the impact of other kinds of attacks.
💯