I guess the big question is whether or not the XSRF protection is a function of the payload envelope or needs deeper support. If it can be done at the transport layer, extending DefaultRequestTransport seems like easy way to mix it in.
-- Bob Vawter Google Web Toolkit Team -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
