I’d like to build a custom whitelisted API method that I can call via some html/javascript snippets that I put on the public website (for logged-out and logged-in users).
However, these would be POST calls and the CSRF checks prohibit calling them via javascript.