All unsafe operations fail on PlatformUI.
This is caused by the CSRF token being empty in REST json responses. It doesn't affect xml responses.
The source is the User Controller, where the CsrfToken can be obtained and forwarded as a CsrfToken object. The object happens to be handled, somehow, by the XML serializer, but not by the JSON one.