XSRF token is only useful with cookie (or IP based) authentication. No need to
use it when authenticating via OAuth or X-Appengine-Inbound-Appid (since
there's no way to forge a request with custom header, e.g. Cloud Endpoints do
not use XSRF tokens).
Requiring XSRF token makes Appengine <-> Appengine calls complicated since now
XSRF token has to be managed somehow.
Original issue reported on code.google.com by vadimsh@chromium.org on 18 Dec 2014 at 7:45
Original issue reported on code.google.com by
vadimsh@chromium.org
on 18 Dec 2014 at 7:45