Context:
- You are developing a web application that has anti-CSRF function (transaction tokens).
- You are using Chrome to test and debug the application.
Problem:
Once you had viewed the HTML source with “View page source” on the context menu, following requests will be failed because of unmatched token.
Reason:
If a page had received with HTTP headers like “Cache-Control: private, no-store, no-cache, must-revalidate”, Chrome will send another request for “View page source” operation to show the source of the page. It seems by design.