Add XSRF protection to oauth2decorator callback.
Also update all samples to use XSRF callback protection.

Reviewed in https://codereview.appspot.com/6473053/.
diff --git a/samples/appengine/grant.html b/samples/appengine/grant.html
index 0087325..aeb678b 100644
--- a/samples/appengine/grant.html
+++ b/samples/appengine/grant.html
@@ -8,7 +8,7 @@
       application</a>.</p>
     {% else %}
     <p><a href="{{ url }}">Grant</a> this application permission to read your
-    Buzz information and it will let you know how many followers you have.</p>
+    Google+ information and it will let you know how many followers you have.</p>
     {% endif %}
     <p>You can always <a
       href="https://www.google.com/accounts/b/0/IssuedAuthSubTokens">revoke</a>