You can use CORS and withCredentials to use simple cookie-based browser sessions for authentication. It's still hard against CSRF because as long as you properly origin-check the request you don't have to worry about form forgery.

Wrote about this some at http://www.divshot.com/blog/static-apps/cookies-and-cors