security: use more antiforgery tokens

Disco.Web/Areas/Config/Views/Enrolment/Status.cshtml

@@ -8,7 +8,6 @@
     Html.BundleDeferred("~/ClientScripts/Modules/jQuery-Isotope");
 }
 <div id="enrolStatus" data-defaultdeviceprofileid="@Model.DefaultDeviceProfileId">
-    @Html.AntiForgeryToken()
     <div id="noSessions" data-bind="visible: noSessions">
         <h2>No enrolment sessions today</h2>
     </div>
@@ -31,7 +30,7 @@
             <p class="sessionStatus" data-bind="text: progressStatus"></p>
             <div data-bind="visible: !sessionEnded() && progressValue >= 0, progressValue: progressValue"></div>
             <div id="formResolveSessionPending" data-bind="visible: isPending">
-                @using (Html.BeginForm(MVC.API.Enrolment.ResolveSessionPending(), FormMethod.Post))
+                @using (Html.BeginForm(MVC.API.Enrolment.ResolveSessionPending()))
                 {
                     <code data-bind="text: pendingIdentifier"></code>
                     @Html.AntiForgeryToken();
@@ -352,6 +351,9 @@
                 url: '@(Url.Action(MVC.API.DeviceModel.Index()))',
                 dataType: 'json',
                 type: 'POST',
+                data: {
+                    '__RequestVerificationToken': document.body.dataset.antiforgery
+                },
                 success: init_loadedDeviceModels,
                 error: function (jqXHR, textStatus, errorThrown) {
                     alert('Unable to retrieve device models: ' + errorThrown);
@@ -373,7 +375,7 @@
                 End: null,
                 ModuleId: 50,
                 Take: 2000,
-                '__RequestVerificationToken': host.find('input[name="__RequestVerificationToken"]').val()
+                '__RequestVerificationToken': document.body.dataset.antiforgery
             };
             $.ajax({
                 url: '@(Url.Action(MVC.API.Logging.RetrieveEvents()))',