Is the JSON CSRF/Theft attack still possible?
I read this article: http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
And I tried to use the technique, but it seems to fail on (at least) most browsers I tried. Basically you return JSON on your site and someone else does a <script src="domain.com/response.php?json"></script> and then you setup your own object/array constructors to steal the data.
Is this still viable with modern browsers? Should I use tokens to prevent this?
Is this still viable with modern browsers?
Yes. And browsers are not the issue.
Non-browser applications can make HTTP requests, also. Applications like curl can probably be used for this kind of thing. Or you can write something in Python using urllib2 to do CSRF's. You can easily fake out responses of all kinds if the framework doesn't properly include CSRF tokens.
Should I use tokens to prevent this?
You should find a framework that provides you the support for handling this.
No, the  constructor is no longer overrideable, and setters are no longer called for object initializers. See http://www.thespanner.co.uk/2011/05/30/json-hijacking/ and Is JSON Hijacking still an issue in modern browsers? .