diff --git a/apps/addons/templates/addons/includes/install_button.html b/apps/addons/templates/addons/includes/install_button.html
index dba8627c70..44322a4433 100644
--- a/apps/addons/templates/addons/includes/install_button.html
+++ b/apps/addons/templates/addons/includes/install_button.html
@@ -18,6 +18,7 @@
   {% else %}
     href="{{ link.url }}"
   {% endif %}>
+  {{ csrf() }}
   {% if request.MOBILE %}
     {% if addon.is_webapp() %}
       {% if (addon.is_premium() and addon.has_purchased(amo_user)) or (not addon.is_premium()) %}
diff --git a/apps/amo/templates/amo/403_apps.html b/apps/amo/templates/amo/403_apps.html
index 496680627a..c331f717c0 100644
--- a/apps/amo/templates/amo/403_apps.html
+++ b/apps/amo/templates/amo/403_apps.html
@@ -6,6 +6,7 @@
 {# TODO(apps): Finalize copy. #}
 
 {% block primary %}
+{% block content %}
   <section class="primary">
     <header>
       <h1>Oops! Not allowed.</h1>
@@ -21,3 +22,4 @@
     </div>
   </section>
 {% endblock %}
+{% endblock %}
diff --git a/media/js/zamboni/global.js b/media/js/zamboni/global.js
index 0c332a07ea..eaf4052f1d 100644
--- a/media/js/zamboni/global.js
+++ b/media/js/zamboni/global.js
@@ -1,26 +1,6 @@
 // Things global to the site should go here, such as re-usable helper
 // functions and common ui components.
 
-// CSRF Tokens
-// Hijack the AJAX requests, and insert a CSRF token as a header.
-
-$('html').ajaxSend(function(event, xhr, ajaxSettings) {
-    var csrf, $meta;
-    // Block anything that starts with "http:", "https:", "://" or "//"
-    if (!/^((https?:)|:?[/]{2})/.test(ajaxSettings.url)) {
-        // Only send the token to relative URLs i.e. locally.
-        $meta = $('meta[name=csrf]');
-        if (!z.anonymous && $meta.exists()) {
-            csrf = $meta.attr('content');
-        } else {
-            csrf = $("#csrfmiddlewaretoken").val();
-        }
-        if (csrf) xhr.setRequestHeader("X-CSRFToken", csrf);
-    }
-}).ajaxSuccess(function(event, xhr, ajaxSettings) {
-    $(window).trigger('resize'); // Redraw what needs to be redrawn.
-});
-
 // Tooltip display. If you give an element a class of 'tooltip', it will
 // display a tooltip on hover. The contents of the tip will be the element's
 // title attribute OR the first title attribute in its children. Titles are
diff --git a/media/js/zamboni/helpers.js b/media/js/zamboni/helpers.js
new file mode 100644
index 0000000000..5632e586c6
--- /dev/null
+++ b/media/js/zamboni/helpers.js
@@ -0,0 +1,21 @@
+// CSRF Tokens
+// Hijack the AJAX requests, and insert a CSRF token as a header.
+
+$('html').ajaxSend(function(event, xhr, ajaxSettings) {
+    var csrf, $meta;
+    // Block anything that starts with 'http:', 'https:', '://' or '//'.
+    if (!/^((https?:)|:?[/]{2})/.test(ajaxSettings.url)) {
+        // Only send the token to relative URLs i.e. locally.
+        $meta = $('meta[name=csrf]');
+        if (!z.anonymous && $meta.length) {
+            csrf = $meta.attr('content');
+        } else {
+            csrf = $("input[name='csrfmiddlewaretoken']").val();
+        }
+        if (csrf) {
+            xhr.setRequestHeader('X-CSRFToken', csrf);
+        }
+    }
+}).ajaxSuccess(function(event, xhr, ajaxSettings) {
+    $(window).trigger('resize'); // Redraw what needs to be redrawn.
+});
diff --git a/media/js/zamboni/mobile/buttons.js b/media/js/zamboni/mobile/buttons.js
index 1e5c2a189a..093fde579a 100644
--- a/media/js/zamboni/mobile/buttons.js
+++ b/media/js/zamboni/mobile/buttons.js
@@ -47,11 +47,13 @@
     z.startPurchase = function(manifest_url, opt) {
         $.ajax({
             url: opt.url,
+            type: 'post',
             dataType: 'json',
             /* false so that the action is considered within bounds of
              * user interaction and does not trigger the Firefox popup blocker.
              */
             async: false,
+            data: {'result_type': 'json'},
             success: function(json) {
                 $('.modal').trigger('close'); // Hide all modals
                 if (json.paykey) {
diff --git a/settings.py b/settings.py
index 83e7354aa1..74a66c02bc 100644
--- a/settings.py
+++ b/settings.py
@@ -572,6 +572,7 @@ MINIFY_BUNDLES = {
             'js/lib/jquery-ui/jquery.ui.datepicker.js',
             'js/lib/jquery-ui/jquery.ui.sortable.js',
 
+            'js/zamboni/helpers.js',
             'js/zamboni/global.js',
             'js/amo2009/global.js',
             'js/impala/ratingwidget.js',
@@ -654,6 +655,7 @@ MINIFY_BUNDLES = {
 
             'js/zamboni/truncation.js',
             'js/impala/ajaxcache.js',
+            'js/zamboni/helpers.js',
             'js/zamboni/global.js',
             'js/impala/global.js',
             'js/impala/ratingwidget.js',
@@ -792,6 +794,7 @@ MINIFY_BUNDLES = {
             'js/impala/footer.js',
             'js/zamboni/personas_core.js',
             'js/zamboni/mobile/personas.js',
+            'js/zamboni/helpers.js',
             'js/zamboni/mobile/general.js',
             'js/impala/ratingwidget.js',
             'js/zamboni/browserid_support.js',