CSRF and Ajax: Do I need protection?

Do I need to use csrf tokens in my ajax requests?

I think that someone tricking my users to execute m开发者_开发问答alicious ajax requests from another site, to my site, will fail because of the origin policy, which is handled by the browser, am I right?

I don't care about duplicated requests when using ajax, I'm only asking about the attacks. Am I at risk if I don't use csrf in my ajax requests?

---

As per my research, We can reduce the vulnerability by using POST request(for the request which will take side affect). But thing is that we can forge the POST request as well with form submission, cause same origin policy will not applies plain html for submissions. But it applies to request which are getting generated with JS.

So if you use ajax POST request and you are safe if you are using JSON payload. Cause url encoded payload(POST request) can be forged with form submission from other sites. If you use JSON, as it is not possible to send plain text pay load(with out urlform encoded) with html form submission you are safe. Because with ajax POST request if you use urlform encoded data payload it can be forged with POST form submission.

---

This is how we solved the problem with CSRF token in Ajax requests http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html

---

The fact that you are using Ajax doesn't mean that others have to as well. Your server won't be able to distinguish a request made by XHR from one made by <form> submission. (Yes XHR usually adds a header identifying itself, but this is not hard to spoof.)

So yes, you do need to consider CSRF attacks.

Edit

Django have a POC, which is why they and Ruby on Rails now implement CSRF protection on AJAX requests.

Once again, please check your facts before downvoting, and explain what the downvote is for.