Fixes #897.

framework/yii/base/ErrorHandler.php

@@ -93,6 +93,8 @@ class ErrorHandler extends Component
 		$response->getHeaders()->removeAll();
 
 		if ($useErrorView && $this->errorAction !== null) {
+			// disable CSRF validation so that errorAction can run in case the error is caused by CSRF validation failure
+			Yii::$app->getRequest()->enableCsrfValidation = false;
 			$result = Yii::$app->runAction($this->errorAction);
 			if ($result instanceof Response) {
 				$response = $result;

framework/yii/web/Request.php

@@ -1001,7 +1001,8 @@ class Request extends \yii\base\Request
 	 */
 	public function getCsrfTokenFromHeader()
 	{
-		return isset($_SERVER[self::CSRF_HEADER]) ? $_SERVER[self::CSRF_HEADER] : null;
+		$key = 'HTTP_' . str_replace('-', '_', strtoupper(self::CSRF_HEADER));
+		return isset($_SERVER[$key]) ? $_SERVER[$key] : null;
 	}
 
 	/**