Is it unsafe for the JavaScript client to set the CSRF token? | Dark Hacker News