Cross-Site Request Forgery (CSRF) are request to the server initiated from other websites. Allowing this is potentially dangerous as the request piggybacks on the existing session on the server if it's ran from the same browser (imagine 2 tabs, 1 logged in on the server, the other with a malicious site that sends a request to the server). 

The most suitable way to prevent this seems to be Synchronizer Token Pattern  (STP) which effectively requires a unique token to be sent with a request which is validated when submitting data. This could be reasonably easily implemented in JAS similarly to captchas. 

Some things to consider:

• Tokens should only be required when submitting data (like captchas)
• Added $this->addFIeld("s", "stp", "form", "hidden;control", 1, 64, "STP"); to Data::defaultFields()
• They can be easily added to the CMS (like captchas) however that'll break non-CMS data submits
• A token should remain valid for one whole request, so multiple Data::submits in the same request would use the same token
• Once a token is used it should be deleted (at the end of the request)
• Multiple tokens should able to be "active" at one time
• Imagine opening a second tab to look up information, in case only only 1 token is support it would overwrite the token of the first tab.
• Tokens should only be generated when needed (i.e. when CMS is used) to prevent unused tokens to crop up
• The amount of active tokens should be limited to avoid it from growing indefinitely
• It should be configurable
• Should APIs require STP as well?