The route decorator can have some extra parameters, in order to customize its behavior further. By default, all HTTP methods are allowed, and Odoo intermingles the parameters passed. Using the methods parameter, you can pass a list of methods to accept, which would usually be one of either ['GET'] or ['POST'].

To allow cross-origin requests (browsers block AJAX and some other types of requests to domains other than where the script was loaded from, for security and privacy reasons), set the cors parameter to * to allow requests from all origins, or a URI to restrict requests to ones originating from this URI. If this parameter is unset, which is the default, the Access-Control-Allow-Origin header is not set, leaving you with the browser's standard behavior. In our example, we might want to set it on /my_module/books/json, in order to allow scripts pulled from other websites to access the list of books.

By default, Odoo protects certain types of requests from an attack known as cross-site request forgery, by passing a token along on every request. If you want to turn that off, set the csrf parameter to False, but note that this is a bad idea, in general.