Don't send XSFR token header for CORS requests

[IgorMinar]

It typically makes no sense to send the token since the 3rd party site has no way of setting the cookie.

This is related to #1004

[AshD]

+1

[marcorinck]

Hi,

just saw this fix in changelogs for 1.1.1. We are currently developing a mobile Web App with angular 1.0.3 with CORS requests which uses cookies already for authentication. Cookies can be set when withCredentials is set to the XHR request and HTTP-Header "Access-Control-Allow-Credentials" is set.

As one of the next development steps we wanted to set the cookie for the X-XSFT-Token. Can we shelve that as next stable version of angularJS doesn't support that at all for CORS requests? Or can we activate it again?

If not, why remove it completely for CORS requests when server CAN set the cookie. Maybe a config option would be nice then.

Thanks
Marco

[kennethlynne]

I would love to be able to whitelist servers, or specify target servers for specific headers. The back-end is on another domain, so this fix is indeed an improvement, but it would be even nicer to be able to specify a whitelist.

Follow up: http://stackoverflow.com/questions/15988234/how-can-one-specify-trusted-servers-to-send-xsfr-tokens-to-in-angular-http