To reuse an existing Splunk web session for Javascript REST API calls, you obviously have to transfer the CSRF cookie content into an HTTP header. This is what works for me (Splunk 6.6.2):
var xhr = new XMLHttpRequest();
xhr.open('POST', '/en-US/splunkd/__raw/services/data/indexes', true);
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xhr.setRequestHeader('X-Splunk-Form-Key', document.cookie.match(/splunkweb_csrf_token_8000=(\d+)/)[1]);
xhr.send("name=mybrandnewindex&output_mode=json")
... View more