I am working with a
application/x-www-form-urlencoded will make it to the server as is, so an attacker might be able to log a user in from the attacker's domain by sending AJAX requests. However, if only
text/html is accepted, such a request triggers a preflight OPTIONS request first if cross-domain, and the browser will not send the actual data if the server doesn't explicitly allow it with CORS headers.
So the API requesting credentials as
text/html is slightly more secure than
application/x-www-form-urlencoded. Other then this, it does not have much effect on security.