Bizarrely, this behaviour was changed in rails 4. http://www.alfajango.com/blog/rails-4-whats-new/
Rails forms now will not render the CSRF field in the form unless you explicitly define it as an option to your form:
<%= form_for @some_model, :remote => true, :authenticity_token => true do |f| %>
<% end %>
Adding this option allows you to gracefully degrade to a HTML fallback if Javascript is switched off.