Bizarrely, this behaviour was changed in rails 4. http://www.alfajango.com/blog/rails-4-whats-new/

Rails forms now will not render the CSRF field in the form unless you explicitly define it as an option to your form:

<%= form_for @some_model, :remote => true, :authenticity_token => true do |f| %>
<% end %>

Adding this option allows you to gracefully degrade to a HTML fallback if Javascript is switched off.

ORIGINAL DISCUSSION: http://stackoverflow.com/questions/19452853/actioncontrollerinvalidauthenticitytoken-when-disable-js-ajax-request

by ryzalyusoff