fix(csrf): give CSRF token when using /ajax route
The /ajax route, used for inlined edition for instance, is currently rejected because no csrf token is provided.
In this patch, we grab the csrf_token and provide it to all the /ajax calls, as explained here