CSRF check not passed in extension


I’m trying to build an own web extension (aka add-on) using WebDAV. However, writing sometimes just aborts with “CSRF check not passed” (i.e., I can read files just fine with “wrong?” credentials, but writing or PROPFIND will return 401 with that error).
All works fine on a clean profile, but as soon as I use other extensions accessing NextCloud (like Passman or Floccus) or (sometimes) just log in to the web interface, it seems like the cookies are getting messed up. I only use base auth, but it seems like NextCloud doesn’t care about it once it gets cookies.
Since the W3C seems to hate everybody and doesn’t allow to simply remove the “Cookie” header in the (XMLHttp-) request, is there any other way to ignore whatever messed up data there might be and just use the “Authorization”? And while I’m at it, maybe a header or parameter that avoids setting those cookies with my requests? I’m still a bit confused I almost never need to log in to NextCloud because the extensions already did (unless they ran caused a similar situation and the Cookie doesn’t work anymore)…
Setting withCredentials to false seemed like the way to go, but sadly that would cause no access at all (no error message, but redirects to the login page).