This is going to be a slightly confusing Description but the steps to reproduce should help make sense of this, I hope.
If users have scriptrunner and Elements connect (formally nFeed) installed and they have a custom field with a scriptrunner behaviour on that field. If the custom text field is connected to the elements connect field you can get XSRF warnings at submit time when editing that field in the issue EDIT window.
This only happens when you map a behaviour to the same field for both the service desk project and the Jira software version of the same service desk project and if you do not take focus away from the custom text field when you edit it in the edit window (just hit enter after populating).
1-Create a Service Desk Project
2-Install Scriptrunner and Elements Connect
3-Create a Custom Text Field (Single line)
4-Create a Custom elements field
5-Setup an Elements connect data source so it just points the internal database.
6-Configure the "elements connect custom field" in the elements connect configuration area. Choose the data source you created and choose the SQL buttons.
I used this SQL to just return a list of Link names. It gets the Name to lookup from our custom Text field value as it is entered (customfield_10200 is the standard Custom Text fields ID) :
7-Make sure to set the "elements connect" configuration drop-down named "Editor" to "read-only".
8-Perform a quick check by creating an issue. When you type Blocks into the custom text field, the elements connect field should auto-populate with the same value, looked up in the database.
9-Now create a basic "behaviour" on the Custom Text Field and just use the "Required" toggle option to make it required.
10-Map your service desk project to this behaviour as Both a Service Desk Project AND a standard Jira software project.
It should be "name of the project (All Issue Types)" and "name of the project"(All Request Types)
11- Try to then edit an issue, type the word Blocks into the Custom Text field so the elements field gets populated.
12- Do not take focus away from the customer Text field, just hit enter as soon as you finish typing "Blocks"
Then you should see the "XSRF Security Token Missing" error.
If you then remove one of the Behaviour Mappings and for example just leave the "name if the project (All Issue Types)" mapping and then repeat the test, there will not be an XSRF error.
IMPORTANT - You must not let your mouse/cursor focus leave the field before you hit enter.
Workaround - Do not hit enter after editing the Custom Text Value, click outside the field first and then click submit.
I have just found out that if you that is connected to the elements connect field you will still get the XSRF error. So this just with the "Test Service Desk (All issue types)" mapping. It must be related to how we link a service desk project to behaviours when we are trying to map the agent side (Jira Software) rather than the customers side (Service Desk)
I will add a video to describe visually in the attachments