I think this is the original email discussion in which Cross-Site Request Forgery was first named and described.