Angular won't see the cookie value when running from the extension
because the app page is served from the extension bundle and is
therefore on a different origin than the backend.

Similarly, Angular doesn't set the header when making cross-origin
requests.

Work around the issue by sending the token in responses from the
backend and setting the header ourselves.