This is a snippet from the file http.js in the Angularjs 1.6.4 on github:
var xsrfValue = urlIsSameOrigin(config.url)
? $$cookieReader()[config.xsrfCookieName || defaults.xsrfCookieName]
: undefined;
if (xsrfValue) {
reqHeaders[(config.xsrfHeaderName || defaults.xsrfHeaderName)] = xsrfValue;
}
Why is the XSRF token included only if the request is meant for the same origin? What if a Restful backend is on a different host than the frontend, shouldn't XSRF be used nevertheless?
XSRF protection in this case works by comparing the token received in the config.xsrfHeaderName header to the token received as a cookie config.xsrfCookieName (see "double posting" protection against xsrf). The cookie will not be sent to other origins anyway, so there is no point in sending the header.
In this case the other origin presumably uses authentication that does not rely on something automatically added to requests by the browser (ie. cookies), but is probably token based as most APIs. In that case it's not vulnerable to xsrf.