Make passing CSRF token easier by passing through query string

The CSRF token requirement introduced in #2014573: D6 fix of csrf security advisory SA-CONTRIB-2013-051 and discussion of the services D6 situation has caused some significant problems for situations where the token needs to be passed in via JavaScript. In the Ooyala module, we have a progress bar that indicates how far along the video upload has progressed. However because this status callback is provided via services (by a POST request), we get caught by the CSRF token not being present.

Not all JS within Drupal (or external libraries) are capable of passing headers to their various JavaScript AJAX requests. For some reason when the CSRF token was first introduced, it was done exclusively through checking HTTP headers, which makes doing things like using Drupal's progress bar pinging a Services-provided callback impossible.

To alleviate this problem, I suggest that we check not only $_SERVER['HTTP_X_CSRF_TOKEN'] but also $_GET['services_token'] (or something) that can be passed directly via the URL. I can't think of any reason why using a query string would be any less secure than using a separate HTTP header, since ultimately the URL itself is just a header in the request.