OAuth uses the Authentication header, not cookies, so it's not vulnerable to CSRF attacks. Requiring extra token lookup requests from apps using OAuth is unnecessary extra complexity.
- Mentioned In
- T245474: CORS not enabled for OAuth 2.0
T232692: Should MediaWiki stop storing sessions on the server?
T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API
T223239: REST API Parameter Validation
T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens
T125779: pywikibot OAuth should properly handle expired tokens, instead of endless loop.
I'm inclined to decline this: requiring the CSRF tokens doesn't hurt anything besides an extra round-trip once to fetch the token and a few bytes to send it, and it's likely to be much more complex to sometimes require them and sometimes not than it is to just always require them.
I also note that clients that support both OAuth and non-OAuth authentication (e.g. anything that wants to support non-WMF wikis too) will have to already have to have the code for handling the tokens, so it's not even likely to save them anything.
: Specifically, much more complex in the code that actually checks that the token is valid. And unnecessary complexity in security code is generally considered bad.