Rather than have every Openfire plugin jump through the same hoops to counter CSRF attacks, the core server should provide support that each plugin can utilise.