make additional CSRF protection possible

[lloyd]

Currently it's not possible for a site to pass extra parameters into the POST requests that will occur.

We should allow them to pass through parameters, like CSRF tokens and whatever else they want.

While designing the library to use POST requests does provide a basic level of protection, there are still scenarios where we may be encouraging a design that would allow unwanted logouts to occur...

[lloyd]

@benadida writes:

Well, it might be a bit too paternalistic to prescribe a CSRF parameter name, since sites might be using one already and different frameworks have different names for the parameter, so I would suggest something along the lines of:

• allow extra parameters, CSRF or otherwise
• in all examples, use a CSRF token and explain why
• optionally, if no extra extra parameters are given, console.log a nudge?