The CORS specification fails to protect legacy servers from POST messages with arbitrary body formatting.
You can create pretty much any arbitrary message body you want using application/x-www-form-urlencoded already by crafting smart names and values so the real importance is in not being able to set Content-Type. This is not a security problem as far as I can tell.
-- Anne van Kesteren http://annevankesteren.nl/
