OK thanks but what defines whether or not its necessary, surely all forms should be protected? "product-details-form" in ProductTemplate.SingleVariant.cshtml for example isnt?
I disagree with the stance that NOP is being secured sufficiently. CSRF protection should be used everywhere where a POST is made including the admin pages. Having received many security audits over the years from different pentest companies for commercial software (used by sensitive clients including gov and banking) I work on I am about to tackle my version of NOP.
It is simple to do and will need to be applied to all of the actions and jquery code. This would be picked up in seconds from an audit.