Comment 10 for bug 529348

The anonymous web service access loophole might not matter, because the same code that associates IOAuthSignedRequest with the request object sets the principal to the unauthenticated principal. So you can make a CSRF POST request, but that request isn't associated with the logged-in user and can't modify the dataset. What do you think?