Common misunderstandings from the exercise sheets
Preflighted requests with CORS
Not all cross-domain origins must be preflighted, since the same request could be issued without JavaScript (e.g., submitting a form or loading any URL including cookies). Hence, it is sufficient to merely ensure the CORS policy would allow access to the resource (by setting both Access-Control-Allow-Origin: http://domain.com and Access-Control-Allow-Credentials: true) once JavaScript tries to access it.
Content-Security-Policy-Report-Only
Although the name suggests otherwise, a Content-Security-Policy-Report-Only policy can be deployed alongside a regular CSP policy. In case this were allowed in the meta element, an attacker could simply create a policy blocking any resource and specify his own site as a report-uri/report-to. This would allow him to leak the URLs (possibly containing session IDs) from his victims.
CSRF Protection
Using POST instead of GET requests does not make a page less susceptible to a CSRF flaw. An attacker can just as easily force the browser to fill a form and submit it via POST. The best protection can be achieved by using random nonces in the form, which are protected from an attacker by the same-origin policy.