diff --git a/public/comments.php b/public/comments.php
index 39ad2277..e907fce1 100644
--- a/public/comments.php
+++ b/public/comments.php
@@ -16,7 +16,7 @@ if ($isXHR) {
 }
 
 if (!tmp_csrf_verify($_REQUEST['csrf'] ?? '')) {
-    echo render_info_or_json("Couldn't verify this request, please refresh the page and try again.", 403);
+    echo render_info_or_json($isXHR, "Couldn't verify this request, please refresh the page and try again.", 403);
     return;
 }
 
diff --git a/views/mio/_layout/comments.twig b/views/mio/_layout/comments.twig
index 74049320..e309b8a4 100644
--- a/views/mio/_layout/comments.twig
+++ b/views/mio/_layout/comments.twig
@@ -566,7 +566,7 @@
 
                     commentVoteLock = false;
                 };
-                xhr.open('GET', '/comments.php?m=vote&c={0}&v={1}&h={{ csrf_token() }}'.replace('{0}', id).replace('{1}', vote));
+                xhr.open('GET', '/comments.php?m=vote&c={0}&v={1}&csrf={{ csrf_token() }}'.replace('{0}', id).replace('{1}', vote));
                 xhr.setRequestHeader('X-Misuzu-XHR', 'comments');
                 xhr.send();
             }