x-csrf-token header sent on remote API jquery requests
The x-csrf-token
header is sent on requests that come from jquery and don't target our own domains.
This
- potentially leaks the CSRF token if a user somehow manages to control a jquery requested ressource
- breaks photon addresspicker results, as the OPTIONS/404 request only happens when we set this header