Is clock server not anymore a recommended way to do scheduled tasks? Any hint how to fix the problem?
My preferred approach is to use a separate instance to handle cron jobs. I keep that instance out of the publication stack, so it does not receive requests from outside. For this reason CSRF is not a threat for that instance. In the "cron instance" you can safely set the environment variable PLONE_CSRF_DISABLED value to true without bothering about CSRF at all.
In a zeo buildout this translates to something like:
[instance-cron]
recipe = collective.recipe.zope2cluster
<= instance-settings
environment-vars +=
PLONE_CSRF_DISABLED true