My team is building a site that uses AJAX calls to WCF services for all state changes. Those services only accept a request if its method is POST and its Content-Type is 'application/json'. Assuming that our site has no XSS vulnerabilities, is this sufficient protection against CSRF for our WCF services? Is it possible for an attacker to create a cross-site POST with a custom Content-Type header?
[EDIT] Obviously there are several ways for a malicious third party site to construct an HTTP POST request to my site. As far as I am aware, however, none of these methods allow for changing the Content-Type header. XHR and Flash both let you set headers, but have strict cross-site restrictions.