On Thu, Feb 19, 2015 at 12:38 PM, Brad Hill <hillb...@gmail.com> wrote: > I think that POSTing JSON would probably expose to CSRF a lot of things that > work over HTTP but don't expect to be interacted with by web browsers in > that manner. That's why the recent JSON encoding for forms mandates that it > be same-origin only.
Note that you can already POST JSON cross-origin. Without any preflight. The only thing you can't do is to set the "Content-Type" header to the official JSON mimetype. So the question is, does the server check that the Content-Type header is set to "application/json" and if not abort any processing? / Jonas