I am sending ajax post request and it seems that _csrf parameter is completly ignored.
$form = ActiveForm::begin(['id' => 'csrf-forma',]);
echo $form->field($csrfModel,'returnUrl')->hiddenInput();
ActiveForm::end();
$this->registerJs("$(document).ready( function(){
var returnUrl = window.location.href;
$('.link').click(function(e)
{
e.preventDefault();
var url = $(this).attr('href');
$('#dummyform-returnurl').val(returnUrl);
var forma = $('#csrf-forma').serialize();
$.post(url, forma);
});
} );");
On the server side I can make an istance of DummyForm and it doesn’t matter if _csrf is correct or not if DummyForm is sent through ajax post request.