If csrf protection is dependent upon application/json body which always trigger cors. this can potentially be bypassed
if content-type header is missing and it's processed
here: https://nastystereo.com/security/cross-site-post-without-content-type.htmlarrow-up-right
Last updated 9 months ago
