- * The Facebook-Canvas does not send a proper CSRF-token in its
- * POST-requests. Hence, this feature has to be disabled for all
- * pages, that receive an initial call from the Facebook-Canvas.
+ * Neither the Facebook-Canvas nor the H2-console does send a proper
+ * CSRF-token in its POST-requests. Hence, this feature has to be
+ * disabled for this pages.