Is a CSRF token needed for "AJAX"-only "application/json"-only POSTs?

If I understand correctly, there's no need for a CSRF token if you're only allowing JSON as application/json from an "AJAX" (really AJAJ for JSON) form, right?

If someone tries to post to the form from another page using some nifty POST-to-iFrame hack it will be application/x-www-form-urlencoded, you can throw it out immediately.

If someone tries to post to the form using AJAJ, it will only succeed if OPTIONS has the CORS headers that allow it.

Conclusion: unless you're using CORS you're safe from CSRF as when you're using application/json instead of application/x-www-form-urlencoded.

Any contradictions I'm not considering?

Solution

Have a look at this Sec.SE question and answer. In short: you are correct (presently), but it's probably not a good idea to rely on this behavior, so use tokens anyway.

Cannot reinitialise DataTable - dynamic data for datatable
how to load partial view in ajax in asp.net core
Debug a single PHP file with $_GET parameters in NetBeans/Eclipse/PHPstorm (AJAX API)
Server side paging with ajax & jQuery
Implementing Paging functionality on a Ajax search based Webcontrol
Origin <origin> is not allowed by Access-Control-Allow-Origin
Are there any good examples of ajax paging?
Detecting end of scroll in a div
How to avoid loading data from server every time doing sorting/paging with ngtable
Getting json data from AJAX in MVC Resource Command (Liferay 7.4)
CheckBox To Behave Like Toggle Switches
How to make AJAX calls - Elgg
can I send a list of objects including images using FormData object from view to the controller by ajax call?
ajax not passing data to view in Django
How to add file upload to WooCommerce checkout?
scrape a website which has the same url for multiple pages? with the page jump being an ajax request
sending image file using ajax to controller action getting null value in action parameter asp.net core
pHp cURL works fine when run through browser call and CLI, but fails in an ajax/fetch call
How do I set up my POST form submission to stay on the same page and input any errors in a div?
Unable to Pass Form Data in Ajax POST
Access properties of an html element injected with AJAX
How can I define a Javascript variable in my Ajax url
Django AJAX: Passing form CSFR verification without proper token attachment. Why?
how do i return the json object of my ajax GET request to an API in Asp.net MVC
How to show PDF in browser using byte array of PDF in JavaScript?
Javascript function returns from function right after await statement
XMLHttpRequest() with IE
Woocommerce Add to cart link Ajax enabled in other post or pages
How to do infinite scrolling with flask? (htmx or other methods)
Handling Dynamic Dropdowns with AJAX and PreSubmit Event