js: Extract csrf.js and include in common bundle.

This should make it possible to use this AJAX setup code in logged-out
code as well, which is necessary to use blueslip from portico pages.

static/js/csrf.js

@@ -0,0 +1,15 @@
+var csrf_token;
+$(function () {
+    // This requires that we used Jinja2's {% csrf_input %} somewhere on the page.
+    csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');
+    window.csrf_token = csrf_token;
+
+    $.ajaxSetup({
+        beforeSend: function (xhr, settings) {
+            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
+                // Only send the token to relative URLs i.e. locally.
+                xhr.setRequestHeader("X-CSRFToken", csrf_token);
+            }
+        },
+    });
+});