We have a custom widget that consumes the f_tok form expiration token value passed to it by an ajax request to /ci/ajax/widget. When we update the CP framework to version 3.9, the token is now missing from the parameters received by the handler in our widget controller.

 

 

In CP 3.9, /ci/ajax/widget unsets the value f_tok after it is validated and before sending the POST data to the widget controller.

 

 

If you want to validate this token directly in your widget's ajax handler, you could send it with any other name than f_tok.

 

For troubleshooting, try var_dump($params) in your widget controller ajax handler function.

 

 

See /dav/cp/core/framework/Controllers/Ajax.php. In framework version 3.9, there is a comment "remove f_tok coming in POST so that downstream additional checks are avoided."