Joining alternative in admin does not work when CSRF_COOKIE_HTTPONLY=True

[bvvstab]

The code in csrf.js sets a HTTP header from the CSRF cookie, but it is not allowed to ready it. The HTTP header is thus set to "null", causing the request to fail.

I suggest turning the functionality into proper links, or reading the token from DOM - e.g.

$("[name='csrfmiddlewaretoken']").val();