> Exactly you can also trigger forms for POST or DELETE etc

You cant do a DELETE from a form. You have to use ajax. If cross DELETE needs preflight.

To nitpick, CSRF is not the ability to use forms per se, but relying solely on the existence of a cookie to authorize actions with side effects.