according to the official document of eggjs:

in the default configuration of CSRF, token is set in Cookie. When an AJAX request is made, token, can be taken from Cookie and sent to the server in query, body or header.

In jQuery:

var csrftoken = Cookies.get("csrfToken");

function csrfSafeMethod(method) {
  // these HTTP methods do not require CSRF protection
  return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
  beforeSend: function(xhr, settings) {
    if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
      xhr.setRequestHeader("x-csrf-token", csrftoken);
    }
  },
});

in the case of restful and cross-domain, the requested page file will not go through the eggjs server, so csrf token, will not be planted in cookie when the first request is post (for example, login), and there is no csrf token in the client cookie, so the request is bound to fail. How to solve this problem only when the csrf token, in the cookie can be read after initiating the request again?

add: is restful based on token authentication free of csrf risk?