As discussed in #567, browsers have allowed various cross-origin requests with non-safelisted Content-Type header values to be sent without CORS preflights. These have occurred either by accident (...