(mvc) csrf protection, not very likely to hit in normal situations, but when using legacy free applications, there might not be a csrf token leading to a denial of all requests.

(cherry picked from commit 29e3bb3e)