Since there is no way to remove an element from the Access-Control-Request-Headers after you set the request header on the xhr object, we need to add in a check to not set the X-CSRF-Token when performing a cross domain request.
With this change, you can set the crossDomain: true property (as below) of an ajax call and it will not include the X-CSRF-Token, which would otherwise fail during the preflight response in applications that do not support that token as indicated by the Access-Control-Allow-Headers of their response.
Since there is no way to remove an element from the
Access-Control-Request-Headers
after you set the request header on the xhr object, we need to add in a check to not set theX-CSRF-Token
when performing a cross domain request.With this change, you can set the
crossDomain: true
property (as below) of an ajax call and it will not include theX-CSRF-Token
, which would otherwise fail during the preflight response in applications that do not support that token as indicated by theAccess-Control-Allow-Headers
of their response.