CSRF cors bypass

If csrf protection is dependent upon application/json body which always trigger cors. this can potentially be bypassed

if content-type header is missing and it's processed