CSRF issue only on first call

[ell]

Hello guys!

Recently we've posted our open source secure data exchange but faced an issue with NoScript plugin.

Application page: https://secu.su
Application API: https://api.secu.su

Domains are white-listed in plugin.

While user is creating new data container browser sending POST request to API - Cross Origin error is thrown. Data is sent but response is blocked (application will throw error popup).
If you'll try to send data again - it will be sent and response will be received without any problems.
All the future tries will be successful, until you restart the browser. First call will raise Cross Origin error again.

If you'll turn off the NoScript plugin - error will disappear, that's why I thought it's plugin issue.

// Tested with NoScript 2.9.0.11

[barbaz]

When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[Thrawn]

First up - are you sending raw Mustache code to the client mingled with your HTML, and having it parsed in JavaScript?! That's.........a different approach to what I've seen before.

Second, I can't get it working at all (buttons do nothing), probably due to this.