Ok, I'm not sure whether this is a bug or not, but it sure looks like one. I thought I'd stop by here to see if it was one. When I enable CSRF via the request component's attribute "enableCsrfValidation" I get a fatal error:
Call to undefined method CHttpRequest::getCsrfTokenFromCookie()
Now, who's to blame here? Did I mess something up? If I did, I have no freakin' clue what I did wrong.