Consider using ng-rails-csrf instead of CORS #2
Description
CORS is probably overkill for this app since the client and server are on the same origin; I'm not sure we want to expose resources to other origins.
Also I think this would mean that any ajax requests dependant on sessions (eg anything that references current_user) won't work because of the null_session option.
There's an ng-rails-csrf gem that handles grabbing the CSRF token and setting it on every AJAX request which worked for cliff and I on the angular-donuts app.