diff --git a/tools/jslint/check-all.js b/tools/jslint/check-all.js
index 65b68ab48a..26facec1e2 100644
--- a/tools/jslint/check-all.js
+++ b/tools/jslint/check-all.js
@@ -31,7 +31,7 @@ var globals =
     + ' initiate_search'
 
     // setup.js
-    + ' loading_spinner templates'
+    + ' loading_spinner templates csrf_token'
 
     // subs.js
     + ' subs'
diff --git a/zephyr/static/js/setup.js b/zephyr/static/js/setup.js
index f5731aff2a..83d25fd8b9 100644
--- a/zephyr/static/js/setup.js
+++ b/zephyr/static/js/setup.js
@@ -3,6 +3,7 @@
 
 var loading_spinner;
 var templates = {};
+var csrf_token;
 $(function () {
     // Display loading indicator.  This disappears after the first
     // get_updates completes.
@@ -21,13 +22,13 @@ $(function () {
     );
 
     // This requires that we used Django's {% csrf_token %} somewhere on the page.
-    var csrftoken = $('input[name="csrfmiddlewaretoken"]').attr('value');
+    csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');
 
     $.ajaxSetup({
         beforeSend: function (xhr, settings) {
             if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
                 // Only send the token to relative URLs i.e. locally.
-                xhr.setRequestHeader("X-CSRFToken", csrftoken);
+                xhr.setRequestHeader("X-CSRFToken", csrf_token);
             }
         }
     });