In MDN Access Cotrol doc, GET request with credentials are not preflighted. But if response headers doesn't include Access-Control-Allow-Credentials: true then response will not be available to the invoking client. If this behaviour same for POST (Simple POST request with credentials - Content Type may be form-data) request as well, there is risk that POST might change the server state though response may not be made available to client. Is this assumption correct?
OR POST request with credentials pre-flighted?
Preflight requests are intended to stop the browser from sending certain kinds of requests to a server unless the server explicitly allows it. However, browsers could already send credentialed POST requests directly to the server prior to the advent of CORS support.
The "Security Considerations" part of the CORS spec says (emphasis mine):
Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials.
In other words, the ability to have credentialed POST requests reach the server without a preflight is nothing new: developers have been able to make it happen ever since browsers supported <form>s. Therefore, there is no benefit to requiring a preflight for Ajax that includes credentialed POST requests.