diff --git a/frappe/__init__.py b/frappe/__init__.py
index a73abfd1b2..fc8d85c287 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -368,7 +368,7 @@ def whitelist(allow_guest=False, xss_safe=False):
 			pass
 	"""
 	def innerfn(fn):
-		global whitelisted, guest_methods
+		global whitelisted, guest_methods, xss_safe_methods
 		whitelisted.append(fn)
 
 		if allow_guest:
diff --git a/frappe/__version__.py b/frappe/__version__.py
index fce0ca0b23..1ee0cffaac 100644
--- a/frappe/__version__.py
+++ b/frappe/__version__.py
@@ -1,2 +1,2 @@
 from __future__ import unicode_literals
-__version__ = "6.4.3"
+__version__ = "6.4.4"
diff --git a/frappe/auth.py b/frappe/auth.py
index 72fdadd9a9..2cff14e097 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -61,7 +61,12 @@ class HTTPRequest:
 				# not via boot
 				return
 
-			if frappe.local.session.data.csrf_token != frappe.get_request_header("X-Frappe-CSRF-Token"):
+			csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")
+			if not csrf_token and "csrf_token" in frappe.local.form_dict:
+				csrf_token = frappe.local.form_dict.csrf_token
+				del frappe.local.form_dict["csrf_token"]
+
+			if frappe.local.session.data.csrf_token != csrf_token:
 				frappe.local.flags.disable_traceback = True
 				frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
 
diff --git a/frappe/hooks.py b/frappe/hooks.py
index f9e7a0981f..114bbd0cc2 100644
--- a/frappe/hooks.py
+++ b/frappe/hooks.py
@@ -26,7 +26,7 @@ to ERPNext.
 """
 
 app_icon = "octicon octicon-circuit-board"
-app_version = "6.4.3"
+app_version = "6.4.4"
 app_color = "orange"
 github_link = "https://github.com/frappe/frappe"
 
diff --git a/frappe/public/js/frappe/model/create_new.js b/frappe/public/js/frappe/model/create_new.js
index 5e6a56219d..3c81c4e6fd 100644
--- a/frappe/public/js/frappe/model/create_new.js
+++ b/frappe/public/js/frappe/model/create_new.js
@@ -241,7 +241,9 @@ $.extend(frappe.model, {
 		}
 		var _map = function() {
 			return frappe.call({
-				type: "GET",
+				// Sometimes we hit the limit for URL length of a GET request
+				// as we send the full target_doc. Hence this is a POST request.
+				type: "POST",
 				method: opts.method,
 				args: {
 					"source_name": opts.source_name,
diff --git a/frappe/public/js/legacy/handler.js b/frappe/public/js/legacy/handler.js
index 96d3f7adb9..9b0ee5a656 100644
--- a/frappe/public/js/legacy/handler.js
+++ b/frappe/public/js/legacy/handler.js
@@ -86,6 +86,7 @@ function open_url_post(URL, PARAMS, new_window) {
 	if(new_window){
 		temp.target = '_blank';
 	}
+	PARAMS["csrf_token"] = frappe.csrf_token;
 	for(var x in PARAMS) {
 		var opt=document.createElement("textarea");
 		opt.name=x;
diff --git a/setup.py b/setup.py
index 6ca8656a46..4f738c389c 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = "6.4.3"
+version = "6.4.4"
 
 with open("requirements.txt", "r") as f:
 	install_requires = f.readlines()