As indicated by `enctype`, and the resulting Content-Type on the request, you're POSTing plain text, not JSON. A server needs to verify the Content-Type of the incoming data to ensure it doesn't fall victim to this sort of thing, or just misinterprets other data. In this case, the server is mis-interpreting plain text as if it were JSON.
(A good HTTP framework, IMO, should come with this built into its API, on requesting the payload as a JSON object. Some frameworks … try. A lot do leave it up to the user, which is hideously error prone. Also, this isn't to defend that cross-origin POST is sort-of allowed. I wish we could remove that historical wart.)
(A good HTTP framework, IMO, should come with this built into its API, on requesting the payload as a JSON object. Some frameworks … try. A lot do leave it up to the user, which is hideously error prone. Also, this isn't to defend that cross-origin POST is sort-of allowed. I wish we could remove that historical wart.)