The changes for
JCR-4002 have disabled CSRF checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:
will successfully cross-origin-POST to jackrabbit-standalone.
While fixing this issue, it also became clear that the content-type check failed to take syntax variations into account (upper/lowercase, optional parameters)