CSRF should be added on local requests only rather than excluded from some calls

Right now CSRF is included on all requests except those that match a given list. Instead, we should do a RegExp.test to check against the api_prefix() value and check the first character of the string to see if it's a / character. If we aren't worried about IE11 compat, I would have suggested String.startsWith instead, but that's flat out broken in IE sadly.