7f5fa6d715
And close the gap with JSON requests, which shouldn't be allowed if Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this wouldn't be coming from a browser.