Found the cause for this, I hope it helps someone.
In our case, the episerver framework basepath was set to an inaccessible network share path. This normally, from past experience, results in errors on startup. In this case, the app worked fine, other than these cross site scripting validation errors. Weird.
We're getting a request forgery exception when we try to update many of our commerce entities through the CMS back-end:
[InvalidOperationException: This request has probably been tampered with. Close the browser and try again.]
EPiServer.Shell.Services.Rest.RestHttpHandler.ValidateAntiForgeryToken(HttpContextBase httpContext) +357
EPiServer.Shell.Services.Rest.RestHttpHandler.GetController(HttpContextBase httpContext) +108
EPiServer.Shell.Services.Rest.RestHttpHandler.BeginProcessRequest(HttpContextBase context, AsyncCallback callback, Object extraData) +25
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +157
This occurs when any of the property values are changed, which prevents us from updating the relevant products and categories.
The symptoms are the same as outlined here:
Except we're not using secure cookies.
Any idea what could be causing this?