id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
22859	set crossDomain = false in ajaxSetup is bad	flisky	nobody	"The docs suggest this -
{{{
$.ajaxSetup({
    crossDomain: false, // obviates need for sameOrigin test
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type)) {
            xhr.setRequestHeader(""X-CSRFToken"", csrftoken);
        }
    }
});
}}}


However, people need to set corssDomain = true if there is a crossDomain request under some circumstances.
(In my case, I use CORS with server responsed with 'Access-Control-Allow-Origin' and no 'Access-Control-Request-Headers')

Actually, jQuery does this more intelligently: 
{{{ default: false for same-domain requests, true for cross-domain requests }}}

And jQuery set the crossDomain value **before** calling {{{beforeSend}}}, so I propose this:
{{{
$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader(""X-CSRFToken"", csrftoken);
        }
    }
});
}}}"	Bug	closed	Documentation	dev	Normal	fixed			Accepted	1	0	0	0	0	0