Here is the culprit:
// Automatical CSRF protection for all POST requests
$.ajaxPrefilter(function (options) {
if (options.type === 'post' || options.type === 'POST' || options.type === 'Post') {
if (options.data === '') {
options.data += '?_ip_csrf=' + Cookies.get('ip_csrf_cookie');
} else {
options.data += '&_ip_csrf=' + Cookies.get('ip_csrf_cookie');
}
}
});
\InvoicePlane\assets\core\js\scripts.js
Line 147 + Line 149
Using JS to handle CSRF is very questionnable indeed 
You might be interested in this as well: https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-XSS-Protection
For future reference: https://stackoverflow.com/questions/29680409/is-it-a-good-practice-to-store-the-csrf-token-in-meta-tag