Common misunderstandings from the exercise sheets
Preflighted requests with CORS
Although the name suggests otherwise, a Content-Security-Policy-Report-Only policy can be deployed alongside a regular CSP policy. In case this were allowed in the meta element, an attacker could simply create a policy blocking any resource and specify his own site as a report-uri/report-to. This would allow him to leak the URLs (possibly containing session IDs) from his victims.
Using POST instead of GET requests does not make a page less susceptible to a CSRF flaw. An attacker can just as easily force the browser to fill a form and submit it via POST. The best protection can be achieved by using random nonces in the form, which are protected from an attacker by the same-origin policy.