Going back to something particular that was mentioned the other day:
> From: Craig.McClanahan_at_Sun.COM [mailto:Craig.McClanahan_at_Sun.COM]
> Sent: Wednesday, November 05, 2008 6:36 PM
>
> Are there particular aspects of CSRF that you are concerned
> about? Note that most of this is not specific to RESTful web
> services, so pretty much any technique that works for general
> webapps is likely to work here as well.
>
This is one of those areas where we have accustomed ourselves to lean on
stateful server sessions. Many (most?) implementations of ant-CSRF
"nonce" tokens work by comparing the nonce in the form to the one stored
in the HttpSession. To do this in stateless manner requires some
thought.
This paper outlines an approach that does not use server-side state, but
it does use cookies:
http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
This one is explicitly RESTful, and while it doesn't even specifically
mention CSRF, I think what it has to say could be useful here:
http://bitworking.org/news/201/RESTify-DayTrader
Of course there are even more un-RESTful anti-CSRF measures like forcing
everything to be a POST. Such things have already been discredited even
outside of the REST world, as they only prevent the most basic and
unskilled of CSRF attacks.