Update csrf_safe? to check the headers. Add some JS code to insert the CSRF token into the XHR request headers.

app.rb

@@ -252,7 +252,7 @@ def require_login_ajax
 end
 
 def csrf_safe?
-  csrf_token == params[:csrf_token]
+  csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
 end
 
 def csrf_token

views/layout.slim

@@ -9,6 +9,7 @@ html
     link href="/css/styles.css" rel="stylesheet"
     meta property="og:title" content="NeoCities"
     meta property="og:description" content="NeoCities is the new Geocities. Create your own free home page, and do whatever you want with it."
+    meta name="csrf-token" content="#{csrf_token}"
     script src="/js/jquery.min.js"
 
   body
@@ -40,6 +41,16 @@ html
 
   script src="/js/bootstrap.min.js"
 
+  javascript:
+    !function(){
+      var csrf_token = $('meta[name="csrf-token"]').attr('content');
+
+      $(document).ajaxSend(function(ev, jqxhr){
+        jqxhr.setRequestHeader('X-CSRF-Token', csrf_token);
+      });
+    }();
+
+
   javascript:
     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
@@ -47,4 +58,4 @@ html
     })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
 
     ga('create', 'UA-41925541-1', 'neocities.org');
-    ga('send', 'pageview');
+    ga('send', 'pageview');