Currently the authenticity_token is attached to each ajax snippet rails generates. This is fine when you rely exclusively on rails helpers but it makes it overly difficult for hand written Javascript.
I've propose a small change to prototype.js so the cookies be sent attached to each ajax request via an additional _cookie parameter. If the _cookie matches the one session cookie we know it is a valid request even though authenticity_token was not attached.
So give some love here:
http://dev.rubyonrails.org/ticket/11071
This not only gives CSRF protection for all JS requests (manual or not) but will also automatically make Autocomplete and InPlaceEditing and other plugins work.
