Forbidden: ajax header CSRF is ignored and hence http 403

My ajax request:

var xhr = new XMLHttpRequest();"POST", url, true);
xhr.setRequestHeader("Content-type", "application/json;charset=UTF-8");
xhr.setRequestHeader("x-csrf-token", document.querySelector("meta[name=csrf]").content);

On a page there’s a csrf token generated by Phoenix.

<meta name="csrf" content="<%= Plug.CSRFProtection.get_csrf_token() %>" />

It’s sent on a server along with each ajax request I can see in Chrome. But my server always returns:

"403: invalid CSRF (Cross Site Request Forgery) token, make sure all requests include a valid '_csrf_token' param or 'x-csrf-token' header"

Why? How to fix this?