Don't add X-CSRF-Token if request is cross domain

bwittenbrook3 commented 8 years ago

Since there is no way to remove an element from the Access-Control-Request-Headers after you set the request header on the xhr object, we need to add in a check to not set the X-CSRF-Token when performing a cross domain request.

With this change, you can set the crossDomain: true property (as below) of an ajax call and it will not include the X-CSRF-Token, which would otherwise fail during the preflight response in applications that do not support that token as indicated by the Access-Control-Allow-Headers of their response.

$.ajax({
      ...
      crossDomain: true,
});

freundchen commented 7 years ago

+1 Will this be merged anytime?

sansb commented 5 years ago

@rondale-sc please merge

rondale-sc / ember-cli-rails-addon

Don't add X-CSRF-Token if request is cross domain #35