If I understand correctly, there is no need to use the CSRF token if you allow JSON as application/json from an AJAX form (really AJAJ for JSON), right?
If someone tries to send a message to the form from another page using some elegant POST-to-iFrame hack, it will be application/x-www-form-urlencoded , you can immediately throw it away.
If someone tries to send a message to the form using AJAJ, it will only succeed if there are CORS headers in OPTIONS that allow this.
Conclusion: if you are not using CORS, you cannot use CSRF, as when using application/json instead of application/x-www-form-urlencoded .
Any contradictions that I am not considering?
source share