When activating CSRF protection you have the option to send in the token as either a header or a URL parameter. It should be possible to introduce a toggle that toggles the option of sending in the CSRF token as a URL parameter, and only allows for it as a header.
Comment From: bclozel
I think you meant to open this issue against the Spring Security project.