GWT's RPC mechanism does the following things on every HTTP Request -

1. Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base
2. Sets the content-type as text/x-gwt-rpc; charset=utf-8

The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported).

Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that effect.

Question is : Is this sufficient to prevent CSRF? Is there a way to set custom headers and change content type in a pure cross-site request forgery method?