You can clone with
As /static/cms//js/csrf.js and CMS.API.Security rely on CSRF_COOKIE_NAME being the default which is "csrftoken", ajax features, such as the moderation feature in the pages change list, break when CSRF_COOKIE_NAME is set to something else.
Don't change CSRF_COOKIE_NAME ;)
This also may be the case with cmsplugin_contact, which uses the internal WYMEditor - CSRF failure after clicking "insert plugin" in the editor.
we need a new way to handle ajax/csrf