So far, even though the routes for this app are protected by the auth middleware, I am not dealing with CORS, because I am in the same domain as the login session and Angular has the benefits of sessions and XSRF.

You can see here that it is injecting it into the request for me as I use $http:

Figure 10 XSRF

So, if I went to another site in the same browser, the site cannot use the session from the site that I am coming from to make a request. In this case, if my request was using jQuery, for example, I would need to include this information. Here is an example using jQuery, so we can see a more manual approach to this.