Now that CSRF protection has been moved to middleware I am not finding a convenient way to turn it off within the application for certain actions. This seems to become an issue when you are trying to implement RESTful API endpoints within the application. Are there any plans to facilitate the activation/deactivation of CSRF protection for defined actions?
I was also noticing that when submitting AJAX requests back to the server it is being recommended to retrieve the CSRF token from the csrfToken Cookie. If the cookie is set to secure and httpOnly, (which I believe is best practice), you will not be able to retrieve the token this way. You would need to use $this->request->getParam(’_csrfToken’). Is there a reason this would not be the case?