Prevent CSRF token from being leaked to cross-origin requests

[Lucisu]

Currently, the code inside the html_load_controller.js makes the CSRF token being sent to every Axios and Turbo request:

platform/resources/js/controllers/html_load_controller.js

Lines 41 to 46 in 7e63b9c

	window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
	window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
	document.addEventListener("turbo:before-fetch-request", (event) => {
	event.detail.fetchOptions.headers["X-CSRF-TOKEN"] = token.content;
	});

This, however, leaks the token to cross-origin requests as well, defeating the whole purpose of CSRF protection.

This fix prevents the token from being leaked to cross-origin requests.

For Axios, it is certain that it needs to be implemented. For Turbo, I'm not sure the "turbo:before-fetch-request" is triggered during cross-origin requests, but I added the fix there as well, just in case.

[tabuna]

Hi! Thanks for pointing that out.

To be honest, I'm not sure it's still necessary to manually set the CSRF token this way. Back when Hotwire was still Turbolinks, it was required, but now the framework should automatically fetch the value from:

<meta name="csrf-token" content="[your-value]">

Maybe we should try removing this and rely entirely on the framework?