Why does a cross-origin simple POST request not trigger a preflight check? From the Mozilla docs:
A request that doesn’t trigger a CORS preflight—a so-called “simple request”...
The only allowed methods are:
- GET
- HEAD
- POST
...
The only allowed values for the Content-Type header are:
- application/x-www-form-urlencoded
- multipart/form-data
- text/plain
However if a user visits evilsite.com, and they are tricked into filling out a form that simply has a form action="http://elsewhere.com", and the servers on elsewhere.com are expecting valid post requests with multipart/form-data (or any of the other 2 really) wouldn't that NOT protect the servers on elsewhere.com? Shouldn't these in fact be subject to the CORS preflight checks? What am I missing here