DNS rebinding vulnerability
Even if #19626 is fixed, the HTTP interface is still subject to CSRF via DNS rebinding. An expert opinion is required here.
I guess a session identifier should be required for all requests with an Origin header, e.g.:
/browse.xml?dir=foobar&hosthash=XXX
where XXX is a secure HMAC of the expected Origin header value with a pseudo-random secret (generated at start-up).