I wouldn't call it a mistake. If you had asked me before this afternoon whether trusting X-Requested-With would protect against CSRF, I would have said yes. I still have no idea how you can send arbitrary cross-domain requests in Java and Flash: the fact that you can do so is a security vulnerability in and of itself.
That being said, I'm going to let them know to fix that code. ;)
That being said, I'm going to let them know to fix that code. ;)