There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when the reply is read.
Both iframe and XHR will allow you to construct POST requests, the other attack mechanisms are restricted to GET only. With the iframe method, you use some DOM scripting to create a form that points to an iframe. This implies that only form-formatted data can be sent over an iframe POST request.
So in the Ajax world, it might be possible to have a CSRF-safe application that works simply by insisting on POST, and denying anything that is
application/x-www-form-urlencoded. Clearly this technique won't work for non Ajax requests because it requires the browser to use XHR.
Obviously this is a fairly advanced technique, but it might be useful for anyone writing an Ajax library like for example DWR. I should see if I can't find a DWR tech-lead around here somewhere.
Anyone any clues on whether this might help as part of a defence in depth policy?