Yes, I think it's considered CSRF, but indeed it's not as bad as it could have been, since it still requires you know the username of the logged in user.
It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.
@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com
AFAIK, checking the Referer header actually works for preventing CSRF because you can't modify it for the types of requests that work cross domain, i.e. loading <img>, <script>, etc tags, or posting forms.
It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.
@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com