The "TokenPerPage" approach is not applied to AJAX requests

The current logic generates and returns new, unique tokens for every accessed URI lazily, but they are only injected into `forms` or `src` and `href` attributes by the `injectTokens` method. This way a large SPA application using exclusively XHR requests would only make use of one single (session) token.