The django docs tell us that our AJAX scripts should acquire the token from the designated cookie as in get_cookie('_csrf_token'). Can I rather print it to the HTML source, so that it's available to the JS context more easily?
<script>
var TOKEN = "{{csrf_token}}";
</script>
<script src="myscript.js">
Yes, if you want, there is no extra security risk as long as you make sure that if caching is enabled, only private caching is specified to prevent this value being cached by any proxy server between users and your system.
e.g. cache-control: private HTTP response header.
The Same Origin Policy will prevent the token from being read on the page (assuming you have not enabled CORS).
