Document the use of self.xsrf_token to set the cookie for ajax-only a…

…pps.

Closes tornadoweb#645.

website/sphinx/overview.rst

@@ -557,7 +557,11 @@ all requests:
 
 For ``PUT`` and ``DELETE`` requests (as well as ``POST`` requests that
 do not use form-encoded arguments), the XSRF token may also be passed
-via an HTTP header named ``X-XSRFToken``.
+via an HTTP header named ``X-XSRFToken``.  The XSRF cookie is normally
+set when ``xsrf_form_html`` is used, but in a pure-Javascript application
+that does not use any regular forms you may need to access
+``self.xsrf_token`` manually (just reading the property is enough to
+set the cookie as a side effect).
 
 If you need to customize XSRF behavior on a per-handler basis, you can
 override ``RequestHandler.check_xsrf_cookie()``. For example, if you