Rails allows you to do a lot of configuration under the hood related to the CSRF token. If you like, you can change the name of the param — but if you do, the jQuery UJS driver needs to know the name of the new parameter (since it’s used in Ajax requests). That’s why there are two meta params here: the first is the actual authenticity token, obviously, but the second is required by Rails’ JavaScript drivers in order to even know the name of the first one. (You can see this in action in the jQuery driver or the Prototype driver.)

You could argue this gets you into some kind of crazy loop — why can’t you rename the csrf-param meta tag with another meta tag? I think this was done to allow Rails to easily adopt existing CSRF solutions without needing a lot of manual overrides. Also it allows your apps to be slightly future-proofed. If the HTML5 standard ever adopts an official tag for CSRF tokens, and Rails opts to change the default CSRF tag in a future version, the JavaScript drivers won’t have to change at all.

Ultimately, I think that’s closest to the real reason this exists: it’s insurance against future changes in the CSRF system, preventing unnecessary and possibly extremely annoying deprecations down the road.