diff --git a/libraries/csrf-magic/csrf-magic.js b/libraries/csrf-magic/csrf-magic.js
index 4891971204dfdb9a3a6e486b7b34c0a670704f72..1e65454e82cff5e2e0afb92b406f7d2ffe2d8545 100644
--- a/libraries/csrf-magic/csrf-magic.js
+++ b/libraries/csrf-magic/csrf-magic.js
@@ -27,6 +27,8 @@ CsrfMagic = function(real) {
 CsrfMagic.prototype = {
 
     open: function(method, url, async, username, password) {
+        // track for cross-domain check.
+        this.csrf_reqUrl = url;
         if (method == 'POST') this.csrf_isPost = true;
         // deal with Opera bug, thanks jQuery
         if (username) return this.csrf_open(method, url, async, username, password);
@@ -53,10 +55,18 @@ CsrfMagic.prototype = {
         }
         delete this.csrf_reqContentType;
 
+        // Avoid CSRF for cross-domain requests
+        var crossDomain = false;
+        if (this.csrf_reqUrl && this.csrf_reqUrl.indexOf("://") >= 0 && this.csrf_reqUrl.indexOf(location.origin) !== 0) {
+            crossDomain = true;
+        }
+        delete this.csrf_reqUrl;
+
         if(data instanceof FormData) {
-            data.append(csrfMagicName,csrfMagicToken);
+            if (!crossDomain) data.append(csrfMagicName,csrfMagicToken);
             return this.csrf_send(data);
         }else{
+            if (crossDomain) prepend = "";
             return this.csrf_send(prepend + data);
         }
     },