Here is a script which will do CSRF on cross domain.
Here, we have “Content-Type” as “text-plain” and no new extra header added so CORS will not initiate OPTIONS to check rules on the server side and directly make POST request. At the same time we have kept credential to “true” so cookie will replay.
On the wire we can see following request.
As you can see cookie is replayed and JSON POST has been initiated. We get following response back from application.
Application processed the request and sent JSON back. It is clear case of CSRF. This can be applied to other streams as well.