I was trying to find more information on CSRF vulnerabilities for APIs, and the closes I've found is the question here:
Are JSON web services vulnerable to CSRF attacks?
The issue is that even there, they're using browser-based, cookie-controlled sessions. If you're using an authentication token set in the headers, doesn't that invalidate all CSRF concerns?
A browser can't provide the authentication token / session data, because the browser is never given it! Javascript is responsible for extracting the token and setting it instead -- and if a hostile user can inject code into your javascript, you've got much worse security vulnerabilities than CSRF to begin with.
Am I missing something?
