Well, I have this scenario:
I have two little apps, one powered by Qooxdoo, and the other by ExtJS 4.
This apps lives standalone, and they do POST AJAX request.
So, in a normal scenario Yii provides a hidden field with _csrf toket for POST request, but, this apps do not have that hidden field.
Well, the easy solution for do not get a 400 Bad Request error for me is disable the CSRF validation for Ajax request.
Anyway, some of you have a elegant idea for keep the CSRF validation enabled for my scenario?