fix(csrf): give CSRF token when using /ajax route

The /ajax route, used for inlined edition for instance, is currently rejected because no csrf token is provided.

In this patch, we grab the csrf_token and provide it to all the /ajax calls, as explained here