- You are developing a web application that has anti-CSRF function (transaction tokens).
- You are using Chrome to test and debug the application.
Once you had viewed the HTML source with “View page source” on the context menu, following requests will be failed because of unmatched token.
If a page had received with HTTP headers like “Cache-Control: private, no-store, no-cache, must-revalidate”, Chrome will send another request for “View page source” operation to show the source of the page. It seems by design.