CSRF protection for API with rails session cookie
Description
Currently, state-changing API requests are disabled with the session cookie because there's no CSRF protection. It's actually quite easy to check CSRF.
Proposal
Send the CSRF token along with API requests, and allow state changes with the session cookie if the CSRF token is both present and valid.
Links / references
http://stackoverflow.com/questions/7203304/warning-cant-verify-csrf-token-authenticity-rails
I'd quite like this as a prerequisite to https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6641