Hi,

just saw this fix in changelogs for 1.1.1. We are currently developing a mobile Web App with angular 1.0.3 with CORS requests which uses cookies already for authentication. Cookies can be set when withCredentials is set to the XHR request and HTTP-Header "Access-Control-Allow-Credentials" is set.

As one of the next development steps we wanted to set the cookie for the X-XSFT-Token. Can we shelve that as next stable version of angularJS doesn't support that at all for CORS requests? Or can we activate it again?

If not, why remove it completely for CORS requests when server CAN set the cookie. Maybe a config option would be nice then.

Thanks
Marco

Don't send XSFR token header for CORS requests #1096

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions