diff --git a/common/js/common.js b/common/js/common.js
index 2a8e701dc..52828761f 100644
--- a/common/js/common.js
+++ b/common/js/common.js
@@ -17,7 +17,19 @@
 		($.os.Linux) ? 'Linux' :
 		($.os.Unix) ? 'Unix' :
 		($.os.Mac) ? 'Mac' : '';
-
+	
+	/* Intercept jQuery AJAX calls to add CSRF headers */
+	$.ajaxPrefilter(function(options) {
+		var _u1 = $("<a>").attr("href", location.href)[0];
+		var _u2 = $("<a>").attr("href", options.url)[0];
+		if (_u2.hostname && (_u1.hostname !== _u2.hostname)) return;
+		var token = getCSRFToken();
+		if (token) {
+			if (!options.headers) options.headers = {};
+			options.headers["X-CSRF-Token"] = token;
+		}
+	});
+	
 	/* Intercept getScript error due to broken minified script URL */
 	$(document).ajaxError(function(event, jqxhr, settings, thrownError) {
 		if(settings.dataType === "script" && (jqxhr.status >= 400 || (jqxhr.responseText && jqxhr.responseText.length < 40))) {
diff --git a/common/js/xml_handler.js b/common/js/xml_handler.js
index 12bd9d9b9..75e8642a0 100644
--- a/common/js/xml_handler.js
+++ b/common/js/xml_handler.js
@@ -149,7 +149,6 @@
 			$.ajax({
 				url : url,
 				type : "POST",
-				headers: { "X-CSRF-Token": params._rx_csrf_token },
 				dataType : "json",
 				data : params,
 				success : successHandler,
@@ -259,7 +258,6 @@
 			$.ajax({
 				type: "POST",
 				dataType: "json",
-				headers: { "X-CSRF-Token": params._rx_csrf_token },
 				url: request_uri,
 				data: params,
 				success : successHandler,
@@ -324,7 +322,6 @@
 			$.ajax({
 				type: "POST",
 				dataType: "html",
-				headers: { "X-CSRF-Token": params._rx_csrf_token },
 				url: request_uri,
 				data: params,
 				success: successHandler,