@scottalanmiller It is probably a regression introduced when I refactored the CSRF system so that it could be required only on certain pages.
Unfortunately the csrf middleware that we use doesn't allow me to generate CSRF tokens without also requiring CSRF tokens...