diff --git a/resources/assets/src/js/__tests__/admin.test.js b/resources/assets/src/js/__tests__/admin.test.js
index ba49b924..5bbaaa94 100644
--- a/resources/assets/src/js/__tests__/admin.test.js
+++ b/resources/assets/src/js/__tests__/admin.test.js
@@ -1338,6 +1338,7 @@ describe('tests for "common" module', () => {
         url: 'https://work.prinzeugen.net/statistics/feedback',
         type: 'POST',
         dataType: 'json',
+        xhr: expect.any(Function),
         data: { site_name: 'inm', site_url: 'http://tdkr.mur', version: '8.1.0' }
     });
     expect(window.document.cookie).not.toBe('');
diff --git a/resources/assets/src/js/admin/common.js b/resources/assets/src/js/admin/common.js
index c423f1cc..258c2d3d 100644
--- a/resources/assets/src/js/admin/common.js
+++ b/resources/assets/src/js/admin/common.js
@@ -31,6 +31,17 @@ async function sendFeedback() {
                 site_name: blessing.site_name,
                 site_url: blessing.base_url,
                 version: blessing.version
+            },
+            xhr: () => {
+                // Don't send 'X-CSRF-TOKEN' header to a cross-origin server
+                // @see https://gist.github.com/7kfpun/a8d1326db44aa7857660
+                const xhr = $.ajaxSettings.xhr();
+                const setRequestHeader = xhr.setRequestHeader;
+                xhr.setRequestHeader = function (name, value) {
+                    if (name === 'X-CSRF-TOKEN') return;
+                    setRequestHeader.call(this, name, value);
+                };
+                return xhr;
             }
         });
         if (errno === 0) {