of course - but a server backend could demand that the request contains the Content-type header. JSON Hijacking uses a script tag, which in turn does not allow to set HTTP headers, unlike XmlHttpRequest.