fix($http): only set X-XSFR-TOKEN header for same-domain request

This is needed to prevent CORS preflight checks. The XSFR token
is quite useless for CORS requests anyway.

BREAKING CHANGE: X-XSFR-TOKEN is no longer send for cross domain
requests. This shouldn't affect any known production service.

Closes #1096

0 files changed, 0 insertions, 0 deletions