clientChange() has a csrf option, but this does not work for things like ajaxButton() because it requires the submit option passed in htmlOptions where as ajaxButton passes the url in ajaxOptions.
Having to manually add something like this to every ajax use seems silly, when it can simply include a ‘csrf’=>true.
Yii::app()->request->csrfTokenName => Yii::app()->request->csrfToken
Also, why the need for ‘csrf’=>true at all? Why not just turn it on by default if $request->enableCsrfValidation is true?