Refine error messages for CSRF exceptions

Summary: See T489. Provide slightly more detail so we can figure out if there's
a real issue here.

Test Plan:
Hit URIs like:

 /differential/comment/preview/29/
 /differential/comment/preview/29/?__ajax__=1
 /differential/comment/preview/29/?__csrf__=1

..and got appropriate error messages.

Reviewers: jungejason

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 884

Author: epriestley

src/aphront/request/AphrontRequest.php

@@ -145,6 +145,22 @@ final public function validateCSRF() {
 
     $valid = $this->getUser()->validateCSRFToken($token);
     if (!$valid) {
+
+      // Add some diagnostic details so we can figure out if some CSRF issues
+      // are JS problems or people accessing Ajax URIs directly with their
+      // browsers.
+      if ($token) {
+        $token_info = "with an invalid CSRF token";
+      } else {
+        $token_info = "without a CSRF token";
+      }
+
+      if ($this->isAjax()) {
+        $more_info = "(This was an Ajax request, {$token_info}.)";
+      } else {
+        $more_info = "(This was a web request, {$token_info}.)";
+      }
+
       // This should only be able to happen if you load a form, pull your
       // internet for 6 hours, and then reconnect and immediately submit,
       // but give the user some indication of what happened since the workflow
@@ -155,7 +171,8 @@ final public function validateCSRF() {
         "certain type of login hijacking attack. However, the token can ".
         "become invalid if you leave a page open for more than six hours ".
         "without a connection to the internet. To fix this problem: reload ".
-        "the page, and then resubmit it.");
+        "the page, and then resubmit it.\n\n".
+        $more_info);
     }
 
     return true;