> I know there are a number of headers used to control cross-site access to websites

Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.

(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)

This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)