Why AngularJS sends X-XSRF-TOKEN header as JSON string?

Question

Angular sets the X-XSRF-TOKEN header to the value of the XSRF-TOKEN cookie:

var xsrfValue = isSameDomain(config.url, $browser.url())
                ? $browser.cookies()[config.xsrfCookieName || defaults.xsrfCookieName]
                : undefined;
if (xsrfValue) {
  headers[(config.xsrfHeaderName || defaults.xsrfHeaderName)] = xsrfValue;
}

But, if one sets the XSRF-TOKEN cookie using $cookieStore (for Rails integration, for example):

$cookieStore.put("XSRF-TOKEN", "my_token"); 

the cookie is stored as JSON string:

put: function(key, value) {
  $cookies[key] = angular.toJson(value);
}

This means that the header will have the extra double quotes:

X-XSRF-TOKEN    "my_token"

Why Angular doesn't call fromJson() when it sets the value of the header so that the header will look like this:

X-XSRF-TOKEN    my_token

?

That would save us from removing the extra double quotes on the server side.

Am I missing something obvious here?

Note: I'm not looking for workarounds. I'm trying to understand whether this behavior is the intended behavior, and if yes, what is the rationale?

Answer 1

Here is the official answer I got:

The real problem here is that you are trying to use the $cookieStore for the wrong purpose. The $cookieStore is an abstraction on top of $cookie, which works with objects and serializes them to JSON. If you want to assign the XSRF token then just use $cookie to write it, which works directly with strings.

In other words, one should do:

$cookies["XSRF-TOKEN"] = "my_token"; // Stored as: my_token

rather than:

$cookieStore.put("XSRF-TOKEN", "my_token"); // Stored as: "my_token"