This page shows a demonstration of a Cross-Site Request Forgery (CSRF) attack that attempts to edit a user's display name on Tomodachi Share.
This route reads JSON with request.json(), so a normal cross-origin form cannot send application/json. This demo uses a text/plain form body that may work if the server parses JSON without checking the Content-Type header.
The request is only sent after you click the button and confirm the warning.