Server returns a page, which has a hidden input containing some one-time CSRF tokens to be used for future AJAX requests. The .onload handler parses those tokens and removed the <input>. The problem occurs when the person navigates away to an external website and then uses the "Back" button to return to the previous page. Browser uses a cached version of the page, which contains the <input> with tokens, which might have been used up already. I have no way to check that until the request is made.
Is there a reliable way, to pass some data into JavaScript variable, which will be guaranteed to execute only once, even if the person clicks "Back" button to get to the page?
The only solution I can think of, is to request these tokens asynchronously on page load, but it makes little sense to make a round-trip to the server for a couple of short strings, when a huge chunk of compressed content is being sent to the user anyways.
You could try using a hidden
form, as browsers preserve form data, and then use js to sniff the form to check if the page is 'dirty'.There's a good example in this answer: https://stackoverflow.com/a/5642600/1759514